1. 29 Sep, 2018 1 commit
    • Suren Baghdasaryan's avatar
      NFC: Fix possible memory corruption when handling SHDLC I-Frame commands · 67084e26
      Suren Baghdasaryan authored
      commit 674d9de02aa7d521ebdf66c3958758bdd9c64e11 upstream.
      
      When handling SHDLC I-Frame commands "pipe" field used for indexing
      into an array should be checked before usage. If left unchecked it
      might access memory outside of the array of size NFC_HCI_MAX_PIPES(127).
      
      Malformed NFC HCI frames could be injected by a malicious NFC device
      communicating with the device being attacked (remote attack vector),
      or even by an attacker with physical access to the I2C bus such that
      they could influence the data transfers on that bus (local attack vector).
      skb->data is controlled by the attacker and has only been sanitized in
      the most trivial ways (CRC check), therefore we can consider the
      create_info struct and all of its members to tainted. 'create_info->pipe'
      with max value of 255 (uint8) is used to take an offset of the
      hdev->pipes array of 127 elements which can lead to OOB write.
      
      Cc: Samuel Ortiz <sameo@linux.intel.com>
      Cc: Allen Pais <allen.pais@oracle.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Suggested-by: default avatarKevin Deus <kdeus@google.com>
      Signed-off-by: default avatarSuren Baghdasaryan <surenb@google.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      67084e26
  2. 22 Jul, 2018 1 commit
  3. 30 May, 2018 1 commit
  4. 30 Nov, 2017 1 commit
  5. 27 Jul, 2017 4 commits
  6. 11 Jul, 2016 3 commits
  7. 10 Jul, 2016 5 commits
    • Thierry Escande's avatar
      NFC: digital: Rework ACK PDU handling in initiator mode · e073eb67
      Thierry Escande authored
      With this patch, ACK PDU sk_buffs are now freed and code has been
      refactored for better errors handling.
      Signed-off-by: default avatarThierry Escande <thierry.escande@collabora.com>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      e073eb67
    • Thierry Escande's avatar
      NFC: digital: Fix ACK & NACK PDUs handling in target mode · 482333b2
      Thierry Escande authored
      When the target receives a NACK PDU, it re-sends the last sent PDU.
      
      ACK PDUs are received by the target as a reply from the initiator to
      chained I-PDUs. There are 3 cases to handle:
      - If the target has previously received 1 or more ATN PDUs and the PNI
        in the ACK PDU is equal to the target PNI - 1, then it means that the
        initiator did not received the last issued PDU from the target. In
        this case it re-sends this PDU.
      - If the target has received 1 or more ATN PDUs but the ACK PNI is not
        the target PNI - 1, then this means that this ACK is the reply of the
        previous chained I-PDU sent by the target. The target did not received
        it on the first attempt and it is being re-sent by the initiator. The
        process continues as usual.
      - No ATN PDU received before this ACK PDU. This is the reply of a
        chained I-PDU. The target keeps on processing its chained I-PDU.
      
      The code has been refactored to avoid too many indentation levels.
      
      Also, ACK and NACK PDUs were not freed. This is now fixed.
      Signed-off-by: default avatarThierry Escande <thierry.escande@collabora.com>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      482333b2
    • Thierry Escande's avatar
      NFC: digital: Fix target DEP_REQ I-PDU handling after ATN PDU · f23a9868
      Thierry Escande authored
      When the initiator sends a DEP_REQ I-PDU, the target device may not
      reply in a timely manner. In this case the initiator device must send an
      attention PDU (ATN) and if the recipient replies with an ATN PDU in
      return, then the last I-PDU must be sent again by the initiator.
      
      This patch fixes how the target handles I-PDU received after an ATN PDU
      has been received.
      
      There are 2 possible cases:
      - The target has received the initial DEP_REQ and sends back the DEP_RES
        but the initiator did not receive it. In this case, after the
        initiator has sent an ATN PDU and the target replied it (with an ATN
        as well), the initiator sends the saved skb of the initial DEP_REQ
        again and the target replies with the saved skb of the initial
        DEP_RES.
      - Or the target did not even received the initial DEP_REQ. In this case,
        after the ATN PDUs exchange, the initiator sends the saved skb and the
        target simply passes it up, just as usual.
      
      This behavior is controlled using the atn_count and the PNI field of the
      digital device structure.
      Signed-off-by: default avatarThierry Escande <thierry.escande@collabora.com>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      f23a9868
    • Thierry Escande's avatar
      NFC: digital: Remove useless call to skb_reserve() · e8e7f421
      Thierry Escande authored
      When allocating chained I-PDUs, there is no need to call skb_reserve()
      since it's already done by digital_alloc_skb() and contains enough room
      for the driver head and tail data.
      Signed-off-by: default avatarThierry Escande <thierry.escande@collabora.com>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      e8e7f421
    • Thierry Escande's avatar
      NFC: digital: Fix handling of saved PDU sk_buff pointers · 1d984c2e
      Thierry Escande authored
      This patch fixes the way an I-PDU is saved in case it needs to be sent
      again. It is now copied using pskb_copy() and not simply referenced
      using skb_get() since it could be modified by the driver.
      
      digital_in_send_saved_skb() and digital_tg_send_saved_skb() still get a
      reference on the saved skb which is re-sent but release it if the send
      operation fails. That way the caller doesn't have to take care about skb
      ref in case of error.
      
      RTOX supervisor PDU must not be saved as this can override a previously
      saved I-PDU that should be re-sent later on.
      Signed-off-by: default avatarThierry Escande <thierry.escande@collabora.com>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      1d984c2e
  8. 06 Jul, 2016 7 commits
  9. 04 Jul, 2016 3 commits
  10. 03 May, 2016 4 commits
  11. 25 Feb, 2016 2 commits
  12. 27 Jan, 2016 1 commit
  13. 29 Dec, 2015 4 commits
  14. 01 Dec, 2015 1 commit
    • Eric Dumazet's avatar
      net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA · 9cd3e072
      Eric Dumazet authored
      This patch is a cleanup to make following patch easier to
      review.
      
      Goal is to move SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA
      from (struct socket)->flags to a (struct socket_wq)->flags
      to benefit from RCU protection in sock_wake_async()
      
      To ease backports, we rename both constants.
      
      Two new helpers, sk_set_bit(int nr, struct sock *sk)
      and sk_clear_bit(int net, struct sock *sk) are added so that
      following patch can change their implementation.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9cd3e072
  15. 28 Oct, 2015 1 commit
  16. 27 Oct, 2015 1 commit