From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EEB103112DA for ; Mon, 22 Jun 2026 14:53:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782139992; cv=none; b=PWTK4bxxPv3p60z2LrZ/3v81LaMEEd5j3zlE0bn5tYGd0RnIJcilUuYyde23SpC4psv71eI0oPnQ77lXCLakkgNsFpdylHcRc/9wp73xMNP0Am9mSOxZ8wq2uS60cfGkdhXkkWQgrdzQKaBpmC5NsQykVSkQG254RN4/8/Z6RxQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782139992; c=relaxed/simple; bh=Xy59s+JNRnmSM6VzrGtWFcxa0uMF9TCT4hk6jnMbGwQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=AZdWcWv689AZozUmQ9ABlHbsk+dQ3UFzkQDhlk0JStEi3jPPr8p/FusAzoKuOfnHC2cALp4nlfouwRsP2boCSJPTyGD/dXbLIeNhU+JJSFPL07E8JQt2CYHCLnRvwXdBxg/gOi7XCxuyRLaxW9uGViE3MVT1Bc0WSOj0BzxXQsA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bynar.io; spf=pass smtp.mailfrom=bynar.io; dkim=pass (2048-bit key) header.d=bynar.io header.i=@bynar.io header.b=DahQ+KU1; arc=none smtp.client-ip=209.85.208.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bynar.io Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bynar.io Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bynar.io header.i=@bynar.io header.b="DahQ+KU1" Received: by mail-ed1-f42.google.com with SMTP id 4fb4d7f45d1cf-69532288224so8629987a12.0 for ; Mon, 22 Jun 2026 07:53:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bynar.io; s=google; t=1782139989; x=1782744789; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=a+82Wee9YcYFC/CDtK+GzldKM6pWgg161oAknThGH2Q=; b=DahQ+KU1HUi+xzN5D+GKQLaLLWGhqQKN88PehlWXgESv1ndgnhx+VPcX96jEnRXskd tceBMZi1ExL+jvZJF+8JJgCpZ86mab4H6TLw07SLk5pCxOdNIqlBnVPabjePdv3qM2rK kCn1PrsV4pH2QgztMBtjJFhgKSDqMIPuRYjzMJgnnuUsBkOUivkALprBGPAeqKl/X0ae kX72Zu9wcZxGXGHvsHiw9AMQZlD9Ltj3D4Qfbw+zrP/m6OT8WbszzGYIxPJEYogaKgQC 3cEyDz76bNw+d+aNbcxOUmKsSLX51sTBrIEYCiKktC8vuDja1zRDNm7pU/RmjOgXzGhV LLfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782139989; x=1782744789; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=a+82Wee9YcYFC/CDtK+GzldKM6pWgg161oAknThGH2Q=; b=LeP2OiznMx8z33ZIZvpeS61QJWZXYEQwpo4m6Y/70wvSNUik5RW05Gj317Fu96x/on JYxBJIfJOpjQ/41+i83N7slppOLql3ltKiAIepB9WyY2q7/EA5MkNEQisaRUlwo/eilg 513uJ4q3UBR/Vpz19rxEnWr+7EotS0Fa58IQPOAG42C6bXg1bh7eLoUl8Hc9E74M5MLg XViN7t1T0ymnvtNeJxftvj8+ZMfOhizW7Fpr1q7zK9cNSMafEAeBgnuurHFFqTUYJHpe nhnK/sM+ie1A8Jbovr3qC5G1ev2iL3HEZUJ1QNUx+uWKgTMhfor8JDnoZGNE+pUOYl6g 9bmQ== X-Forwarded-Encrypted: i=1; AFNElJ81izQxyXjuIp30r+fYJTqlvrGR2j86fhubbgtGLDnbo2CkuZ51GrgJEE6Y+eAnm/t6bT5Rwb8vSM4QY74=@vger.kernel.org X-Gm-Message-State: AOJu0YznUnCdXxuFHTV9RV9v2jpDwCpyuw9dCGQDvzKHTOgAya+g6Cd/ jl4AMOGwWbcZuiw+sRreePCLrY82k+JyLoOg6mK0ptjKDwM79I9Himfv1CAsI62yxHo3 X-Gm-Gg: AfdE7clb5USK82eovDi79p6axiQZrZrAyw87cuhYUnPmsYXl71K9KiM84Bc9ecRQKHN mwh5EbgPFZUJJ3a6mHBlZHqQxkxv+RQ3chVlAKuHtpT3fPJ48O53JdifEI06TXsXzNDKTuybORb kh49rJr4fqrfkLtpikAJuOGl40pbjBzU1OHTjzUHeBnNvvY4qA9E4xOKo31POl9jZ+HGh+oun6d rx2nvYIU9KNcO6ElR22pQnFObvei+Y0MAO06gYd1tRebhArVPlk9t/j1b/noKPpHgIe25LsJgiu MqvDOy1dsRtWQ7LbGmifPCzL3FyV8Sv2TW28QTH/ydCYg9YK3IceVczaQCJcSH1fgCAYfZET7L4 lo+GFxj2s2m76rf6548T6rsCVnvlVwSeahg9n/MLY3kkuVMYfMao0tNFqUWXf+9rE06NMZHwWbY XJ X-Received: by 2002:a05:6402:2116:b0:662:ac7e:aac9 with SMTP id 4fb4d7f45d1cf-6975678925emr6317263a12.20.1782139989329; Mon, 22 Jun 2026 07:53:09 -0700 (PDT) Received: from localhost ([2a06:61c2:d427:0:b321:1c7a:b072:326e]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-6977b82fa67sm3680336a12.4.2026.06.22.07.53.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jun 2026 07:53:08 -0700 (PDT) From: Samuel Page To: David Heidelberg Cc: "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , oe-linux-nfc@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Samuel Page Subject: [PATCH net] nfc: nci: fix out-of-bounds write in nci_target_auto_activated() Date: Mon, 22 Jun 2026 16:52:43 +0200 Message-ID: <20260622145243.3167276-1-sam@bynar.io> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit nci_target_auto_activated() appends a target to the fixed-size array ndev->targets[NCI_MAX_DISCOVERED_TARGETS] and increments ndev->n_targets without first checking the array is full; unlike its sibling nci_add_new_target(), which bails out when n_targets already equals NCI_MAX_DISCOVERED_TARGETS. ndev->n_targets is only cleared by nci_clear_target_list(), so an NFCC that repeatedly re-runs discovery (RF_DISCOVER_RSP, which re-enters NCI_DISCOVERY without clearing the target list) and reports an auto-activated target (RF_INTF_ACTIVATED_NTF) drives n_targets past the limit. The append then writes a struct nfc_target past the end of the array (a slab out-of-bounds write), and nfc_targets_found() goes on to walk the array with the inflated count: BUG: KASAN: slab-out-of-bounds in nci_add_new_protocol+0x94/0x2ac [nci] Write of size 2 at addr ffff0000c7299a18 by task kworker/u8:0/12 Workqueue: nfc0_nci_rx_wq nci_rx_work [nci] Call trace: nci_add_new_protocol+0x94/0x2ac [nci] nci_ntf_packet+0xddc/0x11a0 [nci] nci_rx_work+0x15c/0x1e0 [nci] process_one_work+0x2dc/0x500 worker_thread+0x240/0x460 kthread+0x1c0/0x1d0 ret_from_fork+0x10/0x20 The buggy address belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1024 bytes to the right of allocated 1560-byte region [ffff0000c7299000, ffff0000c7299618) Guard nci_target_auto_activated() with the same check used by nci_add_new_target(). Fixes: 019c4fbaa790 ("NFC: Add NCI multiple targets support") Cc: stable@vger.kernel.org Assisted-by: Bynario AI Signed-off-by: Samuel Page --- net/nfc/nci/ntf.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index c96512bb8653..566ca839fa48 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -603,6 +603,12 @@ static void nci_target_auto_activated(struct nci_dev *ndev, struct nfc_target *target; int rc; + /* This is a new target, check if we've enough room */ + if (ndev->n_targets == NCI_MAX_DISCOVERED_TARGETS) { + pr_debug("not enough room, ignoring new target...\n"); + return; + } + target = &ndev->targets[ndev->n_targets]; rc = nci_add_new_protocol(ndev, target, ntf->rf_protocol, base-commit: 47186409c092cd7dd70350999186c700233e854d -- 2.54.0