diff options
| author | Minsuk Kang <linuxlovemin@yonsei.ac.kr> | 2022-12-14 10:51:39 +0900 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-01-07 12:07:29 +0100 |
| commit | 9da4a0411f3455e3885831d0758bee3e3d565bbc (patch) | |
| tree | eb9689435e1c2f27c728a4e40595acc26998dc63 | |
| parent | 7f1cda9c19ba45453abf3a1b305fff3e81140200 (diff) | |
| download | linux-stable-9da4a0411f3455e3885831d0758bee3e3d565bbc.tar.gz linux-stable-9da4a0411f3455e3885831d0758bee3e3d565bbc.tar.bz2 linux-stable-9da4a0411f3455e3885831d0758bee3e3d565bbc.zip | |
nfc: pn533: Clear nfc_target before being used
[ Upstream commit 9f28157778ede0d4f183f7ab3b46995bb400abbe ]
Fix a slab-out-of-bounds read that occurs in nla_put() called from
nfc_genl_send_target() when target->sensb_res_len, which is duplicated
from an nfc_target in pn533, is too large as the nfc_target is not
properly initialized and retains garbage values. Clear nfc_targets with
memset() before they are used.
Found by a modified version of syzkaller.
BUG: KASAN: slab-out-of-bounds in nla_put
Call Trace:
memcpy
nla_put
nfc_genl_dump_targets
genl_lock_dumpit
netlink_dump
__netlink_dump_start
genl_family_rcv_msg_dumpit
genl_rcv_msg
netlink_rcv_skb
genl_rcv
netlink_unicast
netlink_sendmsg
sock_sendmsg
____sys_sendmsg
___sys_sendmsg
__sys_sendmsg
do_syscall_64
Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
| -rw-r--r-- | drivers/nfc/pn533/pn533.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c index 806309ee4165..fe81946a9ab4 100644 --- a/drivers/nfc/pn533/pn533.c +++ b/drivers/nfc/pn533/pn533.c @@ -1294,6 +1294,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg, if (IS_ERR(resp)) return PTR_ERR(resp); + memset(&nfc_target, 0, sizeof(struct nfc_target)); + rsp = (struct pn533_cmd_jump_dep_response *)resp->data; rc = rsp->status & PN533_CMD_RET_MASK; @@ -1776,6 +1778,8 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg, dev_dbg(dev->dev, "Creating new target\n"); + memset(&nfc_target, 0, sizeof(struct nfc_target)); + nfc_target.supported_protocols = NFC_PROTO_NFC_DEP_MASK; nfc_target.nfcid1_len = 10; memcpy(nfc_target.nfcid1, rsp->nfcid3t, nfc_target.nfcid1_len); |