Re: Followup to "nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION" #cip


Pavel Machek
 

Hi!

First, thanks for reaching us over email.

I noticed that the mentioned patch (https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/commit/?h=linux-4.4.y-st&id=b2df16de20b3f2ee6dbaf86b474e1bd87ddd8d51) made it into various CIP branches, e.g. linux-4.4.y-st.
It fixes potential OOB writes.
However it also introduces memory leaks due to the new return statements leaking the allocated `transaction`, i.e. it misses a ` devm_kfree (dev, transaction);` in those cases.
Furthermore there is also a logic error and potential OOB read issues which are fixed in various Android kernel forks. See e.g. https://android-review.linaro.org/plugins/gitiles/kernel/hikey-linaro/+/bf7ef8f2d57cd1f5f1846dd58ff9309efad58252

I haven't found patches for that in the upstream kernels and I do not know the policy regarding such issues / not-yet-upstream patches.
Anyway, those issues exist and at least for some there are patches and adding the missing devm_kfree is trivial, so I wanted to make you aware of that.
Yup, those issues seem to be real. We'd preffer not to take fixes that
are not upstream, and this is not too severe bug. (Should the skb be
freed in the error paths, too?)

I have sent an email, and it seems fixes are pending.

Best regards,
Pavel
PS: I'm cc-ing you, in case you are not subscribed to the list.
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Join cip-dev@lists.cip-project.org to automatically receive all group messages.