Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net/nfc
History
Deepak Sharma 9c328f5474 net: nfc: nci: Add parameter validation for packet data 
Syzbot reported an uninitialized value bug in nci_init_req, which was
introduced by commit 5aca7966d2 ("Merge tag
'perf-tools-fixes-for-v6.17-2025-09-16' of
git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").

This bug arises due to very limited and poor input validation
that was done at nic_valid_size(). This validation only
validates the skb->len (directly reflects size provided at the
userspace interface) with the length provided in the buffer
itself (interpreted as NCI_HEADER). This leads to the processing
of memory content at the address assuming the correct layout
per what opcode requires there. This leads to the accesses to
buffer of `skb_buff->data` which is not assigned anything yet.

Following the same silent drop of packets of invalid sizes at
`nic_valid_size()`, add validation of the data in the respective
handlers and return error values in case of failure. Release
the skb if error values are returned from handlers in
`nci_nft_packet` and effectively do a silent drop

Possible TODO: because we silently drop the packets, the
call to `nci_request` will be waiting for completion of request
and will face timeouts. These timeouts can get excessively logged
in the dmesg. A proper handling of them may require to export
`nci_request_cancel` (or propagate error handling from the
nft packets handlers).

Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
Fixes: 6a2968aaf5 ("NFC: basic NCI protocol implementation")
Tested-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Deepak Sharma <deepak.sharma.472935@gmail.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20250925132846.213425-1-deepak.sharma.472935@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 		2025-09-30 10:27:14 +02:00
..
hci treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
nci net: nfc: nci: Add parameter validation for packet data 2025-09-30 10:27:14 +02:00
Kconfig
Makefile
af_nfc.c nfc: fix error handling of nfc_proto_register() 2021-10-13 17:32:38 -07:00
core.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
digital.h
digital_core.c net: fill in MODULE_DESCRIPTION()s for NFC 2024-01-11 16:16:08 -08:00
digital_dep.c
digital_technology.c NFC: digital: fix possible memory leak in digital_in_send_sdd_req() 2021-10-13 17:44:29 -07:00
llcp.h net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-06-26 10:57:23 +01:00
llcp_commands.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-06-27 09:45:22 -07:00
llcp_core.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
llcp_sock.c net: change proto and proto_ops accept type 2024-05-13 18:19:09 -06:00
netlink.c nfc: Remove checks for nla_data returning NULL 2025-06-18 14:17:32 -07:00
nfc.h net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-06-26 10:57:23 +01:00
rawsock.c nfc: Add KCOV annotations 2022-11-02 11:58:13 +00:00