[PATCH 0/1][T] CVE-2018-9518 - Buffer overflow in NFC

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][T] CVE-2018-9518 - Buffer overflow in NFC

Tyler Hicks-2
https://people.canonical.com/~ubuntu-security/cve/?cve=CVE-2018-9518

A fix for this issue is present in all trees except for Trusty.

Tyler


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] NFC: llcp: Limit size of SDP URI

Tyler Hicks-2
From: Kees Cook <[hidden email]>

The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce
this both in the NLA policy and in the code that performs the allocation
and copy, to avoid writing past the end of the allocated buffer.

Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface")
Signed-off-by: Kees Cook <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>

CVE-2018-9518

(cherry picked from commit fe9c842695e26d8116b61b80bfb905356f07834b)
Signed-off-by: Tyler Hicks <[hidden email]>
---
 net/nfc/llcp_commands.c | 4 ++++
 net/nfc/netlink.c       | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 1017894807c0..50386f232a46 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -151,6 +151,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri,
 
  pr_debug("uri: %s, len: %zu\n", uri, uri_len);
 
+ /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */
+ if (WARN_ON_ONCE(uri_len > U8_MAX - 4))
+ return NULL;
+
  sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL);
  if (sdreq == NULL)
  return NULL;
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index a9b2342d5253..a00f17fe2a74 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -62,7 +62,8 @@ static const struct nla_policy nfc_genl_policy[NFC_ATTR_MAX + 1] = {
 };
 
 static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = {
- [NFC_SDP_ATTR_URI] = { .type = NLA_STRING },
+ [NFC_SDP_ATTR_URI] = { .type = NLA_STRING,
+       .len = U8_MAX - 4 },
  [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 },
 };
 
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/1][T] CVE-2018-9518 - Buffer overflow in NFC

Khalid Elmously
In reply to this post by Tyler Hicks-2
On 2018-09-14 18:54:57 , Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/?cve=CVE-2018-9518
>
> A fix for this issue is present in all trees except for Trusty.
>
> Tyler
>
>

Acked-by: Khalid Elmously <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/1][T] CVE-2018-9518 - Buffer overflow in NFC

Marcelo Henrique Cerri
In reply to this post by Tyler Hicks-2
Clean upstream cherry pick.

Acked-by: Marcelo Henrique Cerri <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team