From d07f1e8600ccb885c8f4143402b8912f7d827bcb Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 1 Sep 2014 20:27:29 +0300 Subject: [PATCH 1/3] NFC: microread: Potential overflows in microread_target_discovered() Smatch says that skb->data is untrusted so we need to check to make sure that the memcpy() doesn't overflow. Fixes: cfad1ba87150 ('NFC: Initial support for Inside Secure microread') Signed-off-by: Dan Carpenter Signed-off-by: Samuel Ortiz --- drivers/nfc/microread/microread.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/nfc/microread/microread.c b/drivers/nfc/microread/microread.c index f868333271aaf..963a4a5dc88e5 100644 --- a/drivers/nfc/microread/microread.c +++ b/drivers/nfc/microread/microread.c @@ -501,9 +501,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate, targets->sens_res = be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A_ATQA]); targets->sel_res = skb->data[MICROREAD_EMCF_A_SAK]; - memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID], - skb->data[MICROREAD_EMCF_A_LEN]); targets->nfcid1_len = skb->data[MICROREAD_EMCF_A_LEN]; + if (targets->nfcid1_len > sizeof(targets->nfcid1)) { + r = -EINVAL; + goto exit_free; + } + memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID], + targets->nfcid1_len); break; case MICROREAD_GATE_ID_MREAD_ISO_A_3: targets->supported_protocols = @@ -511,9 +515,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate, targets->sens_res = be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A3_ATQA]); targets->sel_res = skb->data[MICROREAD_EMCF_A3_SAK]; - memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID], - skb->data[MICROREAD_EMCF_A3_LEN]); targets->nfcid1_len = skb->data[MICROREAD_EMCF_A3_LEN]; + if (targets->nfcid1_len > sizeof(targets->nfcid1)) { + r = -EINVAL; + goto exit_free; + } + memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID], + targets->nfcid1_len); break; case MICROREAD_GATE_ID_MREAD_ISO_B: targets->supported_protocols = NFC_PROTO_ISO14443_B_MASK; From a1b27b3867b17356089e2906c538a1049873ab42 Mon Sep 17 00:00:00 2001 From: Christophe Ricard Date: Wed, 3 Sep 2014 23:30:33 +0200 Subject: [PATCH 2/3] NFC: st21nfcb: Fix depmod dependency cycle This fix issue reported here: https://lists.01.org/pipermail/linux-nfc/2014-September/002871.html depmod: WARNING: found 6 modules in dependency cycles! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/drivers/nfc/st21nfcb/st21nfcb.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/drivers/nfc/st21nfcb/ndlc.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/rfkill/rfkill.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/nfc/nfc.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/nfc/nci/nci.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/lib/crc-ccitt.ko in dependency cycle! ./scripts/depmod.sh: line 57: 23387 Segmentation fault (core dumped) "$DEPMOD" "$@" "$KERNELRELEASE" $SYMBOL_PREFIX make: *** [_modinst_post] Error 139 Reported-by: Daniel Wagner Signed-off-by: Christophe Ricard Signed-off-by: Samuel Ortiz --- drivers/nfc/st21nfcb/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/nfc/st21nfcb/Makefile b/drivers/nfc/st21nfcb/Makefile index 13d9f03b2feaa..f4d835dd15f24 100644 --- a/drivers/nfc/st21nfcb/Makefile +++ b/drivers/nfc/st21nfcb/Makefile @@ -2,7 +2,8 @@ # Makefile for ST21NFCB NCI based NFC driver # -st21nfcb_i2c-objs = i2c.o +st21nfcb_nci-objs = ndlc.o st21nfcb.o +obj-$(CONFIG_NFC_ST21NFCB) += st21nfcb_nci.o -obj-$(CONFIG_NFC_ST21NFCB) += st21nfcb.o ndlc.o +st21nfcb_i2c-objs = i2c.o obj-$(CONFIG_NFC_ST21NFCB_I2C) += st21nfcb_i2c.o From 300c627fbc52aa5b2117ca267907ab8d7b990ead Mon Sep 17 00:00:00 2001 From: Christophe Ricard Date: Wed, 3 Sep 2014 23:30:31 +0200 Subject: [PATCH 3/3] NFC: st21nfca: Fix potential depmod dependency cycle In the previous makefile 2 modules were generated for CONFIG_NFC_ST21NFCA (st21nfca.ko and st21nfca_dep.ko). Merge both of them into st21nfca_hci.ko and fix a potential depmod dependency cycle, similar to the one we saw on st21nfcb: depmod: WARNING: found 6 modules in dependency cycles! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/drivers/nfc/st21nfcb/st21nfcb.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/drivers/nfc/st21nfcb/ndlc.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/rfkill/rfkill.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/nfc/nfc.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/nfc/nci/nci.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/lib/crc-ccitt.ko in dependency cycle! ./scripts/depmod.sh: line 57: 23387 Segmentation fault (core dumped) "$DEPMOD" "$@" "$KERNELRELEASE" $SYMBOL_PREFIX make: *** [_modinst_post] Error 139 Reported-by: Daniel Wagner Signed-off-by: Christophe Ricard Signed-off-by: Samuel Ortiz --- drivers/nfc/st21nfca/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/nfc/st21nfca/Makefile b/drivers/nfc/st21nfca/Makefile index db7a38ae05f7a..7d688f97aa278 100644 --- a/drivers/nfc/st21nfca/Makefile +++ b/drivers/nfc/st21nfca/Makefile @@ -2,7 +2,8 @@ # Makefile for ST21NFCA HCI based NFC driver # -st21nfca_i2c-objs = i2c.o +st21nfca_hci-objs = st21nfca.o st21nfca_dep.o +obj-$(CONFIG_NFC_ST21NFCA) += st21nfca_hci.o -obj-$(CONFIG_NFC_ST21NFCA) += st21nfca.o st21nfca_dep.o +st21nfca_i2c-objs = i2c.o obj-$(CONFIG_NFC_ST21NFCA_I2C) += st21nfca_i2c.o