Re: [External] : Re: [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
From: Denis Efremov
Date: Thu Jun 02 2022 - 15:04:35 EST
On 6/2/22 20:30, Denis Efremov wrote:
> Hi,
>
> On 6/2/22 20:12, Pavel Machek wrote:
>> Hi!
>>
>>> commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.
>>>
>>> It appears that there are some buffer overflows in EVT_TRANSACTION.
>>> This happens because the length parameters that are passed to memcpy
>>> come directly from skb->data and are not guarded in any way.
>>>
>>> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
>>> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxxxxx>
>>> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
>>> Signed-off-by: Denis Efremov <denis.e.efremov@xxxxxxxxxx>
>>> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
>>
>> It seems that this patch causes an memory leak, transaction does not
>> seem to be freed in the error paths.
>>
>> (I also wonder if the skb should be freed in the error paths...?)
>>
>> Reported-by: <theflamefire89@xxxxxxxxx>
>
> Same for upstream code and it looks like the problem existed even
> before this patch. I'll prepare an upstream patch and cc it to stable.
>
I checked and Martin already sent patches upstream to fix this.
https://lore.kernel.org/all/20220401180939.2025819-1-mfaltesek@xxxxxxxxxx/
https://lore.kernel.org/all/20220401180955.2025877-1-mfaltesek@xxxxxxxxxx/
https://lore.kernel.org/all/20220401181032.2026076-1-mfaltesek@xxxxxxxxxx/
https://lore.kernel.org/all/20220401181048.2026145-1-mfaltesek@xxxxxxxxxx/
Thanks,
Denis