No kernel security patches for ASB-2018-11, however there
were some from previous ASBs that are now upstream and in
android common kernels

CVE-2018-9363 from ASB-2018-06
CVE-2017-0749 from ASB-2017-08
CVE-2017-0627 from ASB-2017-05
CVE-2017-0564 from ASB-2017-04
CVE-2017-13293 from ASB-2018-04
NFC: Fix the number of pipes

commit e285d5bfb7e9785d289663baef252dd315e171f8 upstream.

According to ETSI TS 102 622 specification chapter 4.4 pipe identifier
is 7 bits long which allows for 128 unique pipe IDs. Because
NFC_HCI_MAX_PIPES is used as the number of pipes supported and not
as the max pipe ID, its value should be 128 instead of 127.

nfc_hci_recv_from_llc extracts pipe ID from packet header using
NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127.
Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With
pipes array having only 127 elements and pipe ID of 127 the OOB memory
access will result.

Cc: Samuel Ortiz <>
Cc: Allen Pais <>
Cc: "David S. Miller" <>
Suggested-by: Dan Carpenter <>
Signed-off-by: Suren Baghdasaryan <>
Reviewed-by: Kees Cook <>
Cc: stable <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>

1 file changed