From 091f76e86d3fdcb13008f1e8fb7910f2a69db3e9 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Sat, 20 Jul 2019 18:14:43 +0200 Subject: [PATCH] nfc: Ensure presence of required attributes in the deactivate_target handler (CVE-2019-12984) --- debian/changelog | 2 + ...-attributes-in-the-deactivate_target.patch | 37 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 40 insertions(+) create mode 100644 debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch diff --git a/debian/changelog b/debian/changelog index 052c71ec9..e3e299d8a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,8 @@ linux (4.19.37-6) UNRELEASED; urgency=medium [ Romain Perier ] * [x86] x86/insn-eval: Fix use-after-free access to LDT entry (CVE-2019-13233) * [powerpc*] mm/64s/hash: Reallocate context ids on fork (CVE-2019-12817) + * nfc: Ensure presence of required attributes in the deactivate_target handler + (CVE-2019-12984) -- Salvatore Bonaccorso Sun, 23 Jun 2019 16:15:17 +0200 diff --git a/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch b/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch new file mode 100644 index 000000000..96d569ace --- /dev/null +++ b/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch @@ -0,0 +1,37 @@ +From 385097a3675749cbc9e97c085c0e5dfe4269ca51 Mon Sep 17 00:00:00 2001 +From: Young Xiao <92siuyang@gmail.com> +Date: Fri, 14 Jun 2019 15:13:02 +0800 +Subject: nfc: Ensure presence of required attributes in the deactivate_target + handler +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=385097a3675749cbc9e97c085c0e5dfe4269ca51 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-12984 + +Check that the NFC_ATTR_TARGET_INDEX attributes (in addition to +NFC_ATTR_DEVICE_INDEX) are provided by the netlink client prior to +accessing them. This prevents potential unhandled NULL pointer dereference +exceptions which can be triggered by malicious user-mode programs, +if they omit one or both of these attributes. + +Signed-off-by: Young Xiao <92siuyang@gmail.com> +Signed-off-by: David S. Miller +--- + net/nfc/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c +index 1180b3e58a0a..ea64c90b14e8 100644 +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -911,7 +911,8 @@ static int nfc_genl_deactivate_target(struct sk_buff *skb, + u32 device_idx, target_idx; + int rc; + +- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) ++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || ++ !info->attrs[NFC_ATTR_TARGET_INDEX]) + return -EINVAL; + + device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 272caa4c2..101206396 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -232,6 +232,7 @@ bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch +bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch