lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 2 Dec 2022 13:36:27 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
Cc:     syzbot <syzbot+210e196cef4711b65139@...kaller.appspotmail.com>,
        davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        pabeni@...hat.com, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] WARNING in nci_add_new_protocol

On Sun, Nov 27, 2022 at 02:26:30PM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    4312098baf37 Merge tag 'spi-fix-v6.1-rc6' of git://git.ker..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12e25bb5880000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b1129081024ee340
> dashboard link: https://syzkaller.appspot.com/bug?extid=210e196cef4711b65139
> compiler:       arm-linux-gnueabi-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: arm
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+210e196cef4711b65139@...kaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 7843 at net/nfc/nci/ntf.c:260 nci_add_new_protocol+0x268/0x30c net/nfc/nci/ntf.c:260
> memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)

This looks like a legitimate overflow flaw to me. Likely introduced with
commit 019c4fbaa790 ("NFC: Add NCI multiple targets support").

These appear to be explicitly filling fixed-size arrays:

struct nfc_target {
        u32 idx;
        u32 supported_protocols;
        u16 sens_res;
        u8 sel_res;
        u8 nfcid1_len;
        u8 nfcid1[NFC_NFCID1_MAXSIZE];
        u8 nfcid2_len;
        u8 nfcid2[NFC_NFCID2_MAXSIZE];
        u8 sensb_res_len;
        u8 sensb_res[NFC_SENSB_RES_MAXSIZE];
        u8 sensf_res_len;
        u8 sensf_res[NFC_SENSF_RES_MAXSIZE];
        u8 hci_reader_gate;
        u8 logical_idx;
        u8 is_iso15693;
        u8 iso15693_dsfid;
        u8 iso15693_uid[NFC_ISO15693_UID_MAXSIZE];
};

static int nci_add_new_protocol(..., struct nfc_target *target, ...)
{
	...
        } else if (rf_tech_and_mode == NCI_NFC_B_PASSIVE_POLL_MODE) {
                nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params;

                target->sensb_res_len = nfcb_poll->sensb_res_len;
                if (target->sensb_res_len > 0) {
                        memcpy(target->sensb_res, nfcb_poll->sensb_res,
                               target->sensb_res_len);
                }
        } else if (rf_tech_and_mode == NCI_NFC_F_PASSIVE_POLL_MODE) {
                nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params;

                target->sensf_res_len = nfcf_poll->sensf_res_len;
                if (target->sensf_res_len > 0) {
                        memcpy(target->sensf_res, nfcf_poll->sensf_res,
                               target->sensf_res_len);
                }
        } else if (rf_tech_and_mode == NCI_NFC_V_PASSIVE_POLL_MODE) {
                nfcv_poll = (struct rf_tech_specific_params_nfcv_poll *)params;

                target->is_iso15693 = 1;
                target->iso15693_dsfid = nfcv_poll->dsfid;
                memcpy(target->iso15693_uid, nfcv_poll->uid, NFC_ISO15693_UID_MAXSIZE);
	}
	...

But the sizes are unbounds-checked, which means the buffers can be
overwritten (as seen with the syzkaller report).

Perhaps this to fix it?

diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index 282c51051dcc..3a79f07bfea7 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -240,6 +240,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
 		target->sens_res = nfca_poll->sens_res;
 		target->sel_res = nfca_poll->sel_res;
 		target->nfcid1_len = nfca_poll->nfcid1_len;
+		if (target->nfcid1_len > ARRAY_SIZE(target->target->nfcid1))
+			return -EPROTO;
 		if (target->nfcid1_len > 0) {
 			memcpy(target->nfcid1, nfca_poll->nfcid1,
 			       target->nfcid1_len);
@@ -248,6 +250,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
 		nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params;
 
 		target->sensb_res_len = nfcb_poll->sensb_res_len;
+		if (target->sensb_res_len > ARRAY_SIZE(target->sensb_res))
+			return -EPROTO;
 		if (target->sensb_res_len > 0) {
 			memcpy(target->sensb_res, nfcb_poll->sensb_res,
 			       target->sensb_res_len);
@@ -256,6 +260,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
 		nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params;
 
 		target->sensf_res_len = nfcf_poll->sensf_res_len;
+		if (target->sensf_res_len > ARRAY_SIZE(target->sensf_res))
+			return -EPROTO;
 		if (target->sensf_res_len > 0) {
 			memcpy(target->sensf_res, nfcf_poll->sensf_res,
 			       target->sensf_res_len);


-- 
Kees Cook

Powered by blists - more mailing lists