Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 27 Jun 2012 10:12:03 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        Dan Rosenberg <dan.j.rosenberg@...il.com>,
        "lauro.venancio@...nbossa.org" <lauro.venancio@...nbossa.org>,
        "aloisio.almeida@...nbossa.org" <aloisio.almeida@...nbossa.org>,
        "sameo@...ux.intel.com" <sameo@...ux.intel.com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "Elias, Ilan" <ilane@...com>
Subject: Re: CVE Request: Kernel [PATCH] NFC: prevent multiple
 buffer overflows in NCI

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/27/2012 09:51 AM, Kurt Seifried wrote:
> http://marc.info/?l=linux-kernel&m=134030878917784&w=2
> 
> 
> List:       linux-kernel Subject:    [PATCH] NFC: prevent multiple
> buffer overflows in NCI From:       Dan Rosenberg <dan.j.rosenberg
> () gmail ! com> Date:       2012-06-21 19:56:12 Message-ID:
> 4FE37C5C.4090009 () gmail ! com [Download message RAW]
> 
> Fix multiple remotely-exploitable stack-based buffer overflows due
> to the NCI code pulling length fields directly from incoming frames
> and copying too much data into statically-sized arrays.
> Fortunately, there don't appear to be any active users of this code
> (yet).
> 
> This patch fixes the overflows, but I suspect the code will need to
> be completely reworked since this doesn't address the more
> systemic problem of failing to check that the values read from
> incoming frame data aren't from beyond the end of the pulled skb
> data. Build tested only.

Please use CVE-2012-3364 for this issue.

> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@...il.com> Cc:
> stable@...nel.org Cc: security@...nel.org Cc: Lauro Ramos Venancio
> <lauro.venancio@...nbossa.org> Cc: Aloisio Almeida Jr
> <aloisio.almeida@...nbossa.org> Cc: Samuel Ortiz
> <sameo@...ux.intel.com> Cc: David S. Miller <davem@...emloft.net> 
> Cc: Ilan Elias <ilane@...com> --- net/nfc/nci/ntf.c |   10
> +++++----- 1 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index
> cb26461..2ab196a 100644 --- a/net/nfc/nci/ntf.c +++
> b/net/nfc/nci/ntf.c @@ -106,7 +106,7 @@ static __u8 
> *nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev, 
> nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data)); data += 2; -
> nfca_poll->nfcid1_len = *data++; +	nfca_poll->nfcid1_len =
> min_t(__u8, *data++, NFC_NFCID1_MAXSIZE); pr_debug("sens_res 0x%x,
> nfcid1_len %d\n", nfca_poll->sens_res, nfca_poll->nfcid1_len); @@
> -130,7 +130,7 @@ static __u8 
> *nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev, 
> struct rf_tech_specific_params_nfcb_poll *nfcb_poll, __u8 *data) { 
> -	nfcb_poll->sensb_res_len = *data++; +	nfcb_poll->sensb_res_len =
> min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE); 
> pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len); @@ -145,7
> +145,7 @@ static __u8 
> *nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev, __u8
> *data) { nfcf_poll->bit_rate = *data++; -	nfcf_poll->sensf_res_len
> = *data++; +	nfcf_poll->sensf_res_len = min_t(__u8, *data++,
> NFC_SENSF_RES_MAXSIZE); pr_debug("bit_rate %d, sensf_res_len
> %d\n", nfcf_poll->bit_rate, nfcf_poll->sensf_res_len); @@ -331,7
> +331,7 @@ static int nci_extract_activation_params_iso_dep(struct 
> nci_dev *ndev, switch (ntf->activation_rf_tech_and_mode) { case
> NCI_NFC_A_PASSIVE_POLL_MODE: nfca_poll =
> &ntf->activation_params.nfca_poll_iso_dep; -
> nfca_poll->rats_res_len = *data++; +		nfca_poll->rats_res_len =
> min_t(__u8, *data++, 20); pr_debug("rats_res_len %d\n",
> nfca_poll->rats_res_len); if (nfca_poll->rats_res_len > 0) { 
> memcpy(nfca_poll->rats_res, @@ -341,7 +341,7 @@ static int 
> nci_extract_activation_params_iso_dep(struct nci_dev *ndev, case
> NCI_NFC_B_PASSIVE_POLL_MODE: nfcb_poll =
> &ntf->activation_params.nfcb_poll_iso_dep; -
> nfcb_poll->attrib_res_len = *data++; +		nfcb_poll->attrib_res_len =
> min_t(__u8, *data++, 50); pr_debug("attrib_res_len %d\n",
> nfcb_poll->attrib_res_len); if (nfcb_poll->attrib_res_len > 0) { 
> memcpy(nfcb_poll->attrib_res,
> 
> 
> 
> 

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP6zDSAAoJEBYNRVNeJnmTnRgP/jJx6T19clbhfikUKGZ8dGhi
60WjiO0wQOeRO/CB6woTUbyy3MV84Jw8LSklOYv9p7Y1EU45UvAbnnlC9f4wzA6J
fvULUEucXaoflBydY+S4+UcL0N3Q0nKOFZsQUVs9MgyNTzV0oBF5mCG+fHPiGFMB
05IECXKh7n+Wssq+nUOORj75JOpyNWfgKNSRSQHFjjmYdXzhyYfTPzg1HwVWu9qC
NwRKI4VMiYFUpUGRyukks6E6IaDmacq0gLNOPAKPeVMkibOSZvsed0tKjqagatOI
GSuo/f1D1mWMyhce/yFU0mZ0YK/Hha+LhgsY/8u1YUX5dxonZDmDQYvT2fp1HN9t
P62XxwtZTJ7JhDl4sSfx24I6DIiItUCjzQa0ks1ODNP0gkFVOVu0E+mECkyKUX1d
IHb/DqAheQWDsSnRs8Nr1x/sYUq3NVSyyfj7QejjPEBxvFwfWqBvOI+ZzwyFrey6
q3m5CJJMwUg6n8YJivPUkP9Ix3KX5SZsDTXAnXGQasTUM0Arld3FHu1nooO97exO
zXzLgjPyQRvhl5iKFRxnhjKNKs5QnNQ2x/3aK690qPTB6tRs2jx1J+TfDmq/hgoI
GZRbK1qrZX7Gem5Kofqyc6enIjwgjW5Nlg4vIG5esQynxOnIc4vB6RvOSZpysCST
sqJpqJJVD1nYTzQIAP3U
=RUqq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ