• Mateusz Jurczyk's avatar
    nfc: Fix the sockaddr length sanitization in llcp_sock_connect · f71ce1c8
    Mateusz Jurczyk authored
    commit 608c4adf upstream.
    
    Fix the sockaddr length verification in the connect() handler of NFC/LLCP
    sockets, to compare against the size of the actual structure expected on
    input (sockaddr_nfc_llcp) instead of its shorter version (sockaddr_nfc).
    
    Both structures are defined in include/uapi/linux/nfc.h. The fields
    specific to the _llcp extended struct are as follows:
    
       276		__u8 dsap; /* Destination SAP, if known */
       277		__u8 ssap; /* Source SAP to be bound to */
       278		char service_name[NFC_LLCP_MAX_SERVICE_NAME]; /* Service name URI */;
       279		size_t service_name_len;
    
    If the caller doesn't provide a sufficiently long sockaddr buffer, these
    fields remain uninitialized (and they currently originate from the stack
    frame of the top-level sys_connect handler). They are then copied by
    llcp_sock_connect() into internal storage (nfc_llcp_sock structure), and
    could be subsequently read back through the user-mode getsockname()
    function (handled by llcp_sock_getname()). This would result in the
    disclosure of up to ~70 uninitialized bytes from the kernel stack to
    user-mode clients capable of creating AFC_NFC sockets.
    Signed-off-by: default avatarMateusz Jurczyk <mjurczyk@google.com>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    f71ce1c8
llcp_sock.c 22.1 KB