From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4514D310762 for ; Mon, 13 Apr 2026 17:47:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776102441; cv=none; b=ebkWnOJf64ibhaee7TudmExJ9N7nM7QjDZA4dITZOnILOd9F3dNKrPhsevlkjgxyHjLft+Wwrw8ZWRx7SoZUGFSqD1XyIDV6oud90xg+GyqarZ4pcoFLhOqaA6SLym1R9eCj6CpaOE4EOi/8n9FE6BaSzsxeIUR64VRlKZcmHmQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776102441; c=relaxed/simple; bh=GtwmbLiPSWMmwAX9UxYBj4wwkd0cc3klEapfAfVXbC4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=hi1IjDCRhVvStW7r+OzndL6Ij8xsDl5pteOmqAqRety/8aq9gIRhTVbMUwuj2aofQkThyr5NIZjSSGOUZdx9lS9B6wfev6r1lbzapy/I4U0QkdarHayPb652wsZeBKzLowWndD6AyVeRYtqPfEmi2O7jNAmjl5CKSVG5GE7OtaU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NKkiGT3U; arc=none smtp.client-ip=209.85.222.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NKkiGT3U" Received: by mail-qk1-f173.google.com with SMTP id af79cd13be357-8cfdac74050so483632785a.3 for ; Mon, 13 Apr 2026 10:47:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776102439; x=1776707239; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=o0lUUpSXi5MAMiel5JSrhfv0lEsBngpxl2EK1emznGE=; b=NKkiGT3U6YeNzoDBv0RHgkuMtBhNIkWxXX+G6MG/1gw14E2M7t9MMAma/qF31dCvHb dqH+3C7co80SsmmYURETBWOpuDlSRnVKIMng++j77q9qHa82m5k65gzy+tRRQ7WFcrb6 BYVgl75vv/YH82ZiTKm9CjyfrNin1cS8OUp4MMR0iaHsS1aqlqbpFgzifyUmfVdk8Vmz GiRrIBrodntGyH/OztFl6O66mvg0JWPWLEKjGtuv5se8vTe0ydY13i7EgZL+reZEe7XJ ZGFwv6xHdECf06VtBSAgEqd7hCQyJfM6TTsqur1Z4osH1Bz9iQMNa65W3dUmV1ohE6L5 Ui8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776102439; x=1776707239; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=o0lUUpSXi5MAMiel5JSrhfv0lEsBngpxl2EK1emznGE=; b=kRAPan4R+ZLyMtYAslrc6pkbWnNH+HAmLe+O/kzCP2vumNf2wTABCYlfv04ER2/na0 X8QH6uzh0RQCQu1kATdep8j7t7ootx/7ZgxxRpmtbkowS8xp6+W/FMoErlJflNgc3+Iw ij5lfsKCbVOxsOO8VEbOet0XK+2LbiA1zeNv/Ggum6aCCy9S5/ZJ9Aw+Rq91q9DFXrUG yVtAORURaJr/tPjJPYrNxR8FZSkCw2gzGw9rmEBjrNKyPJXqcmj8iKEwzRrxVlQ9Nt1G mibmlanaLFTHflFn9wyWPS0e7IMhTlVJhWwDBk8Az7EBjEKEUrECpuB0KFDBtdPF1F71 aclg== X-Forwarded-Encrypted: i=1; AFNElJ8nsEyvLu3BIyKWYMJyrndn5w8YXcyvzSoOH4a4xGX5GO6nQAca60WHg86GcttoXcHUhApxXFA78PfKxBY=@vger.kernel.org X-Gm-Message-State: AOJu0Yz12zg23AO5vWgB5MenMAF1WUP1LYIRrGeiheHp6HH3+hvLPwiH Al7UfzPZgzyX/82Y7ETiqt7SliusUnVHV4Z++UjptF8oCA/tGlcJ83FD X-Gm-Gg: AeBDiesSzBZCWtJbluKW0Y7AvMzzjado0JZLzqRz3BO23fA3RWR4nR2UEiy10W6k4yh E4hVbZMWjRKBqTr5lubJUjlmy8PiPYBdZOOGCdBk3lHRq2jL7sukyFaLetaCQMajEaO8lxGMmAr 5VDS9EnAfoxZ/GXDgVsicZfVYNXPmbzX4F7zsBDUa87bDqGN6amKVkioogxm8mtgzDKF+dS8B3j 9GRDVS6QIO1B+y4OP+5dLWfob95eXsIK96OLOXc0nXZW01s4LH1YrkftwfRpVZo7OjkmTktLRjF KiJ97spXfpQkcqugcyzX75ZrEhVCDv38frlTmAeSX/SfoEQvuPwKNt4+vaphlZ+fEaDaVnHDSiU iEMCxPS/IosR5Clbydip5pKMjJip8Hnk36jKnXDIHgMH+Nus2oruYvplLY/oPKEUyWzV5vXAQxE t45GFhGCP4kE1Eb92QI53aIMJUzGuyZGqMxzIECZqmWhPBtQnWfZQ86xZ2h7J6kctSSJg3NrVkL K7/26KpJtGdMiqNMzlo X-Received: by 2002:a05:620a:6c0d:b0:8c5:2dbc:623e with SMTP id af79cd13be357-8ddcf9b4288mr2016896085a.50.1776102438999; Mon, 13 Apr 2026 10:47:18 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8ddb915b46bsm923141885a.33.2026.04.13.10.47.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 10:47:18 -0700 (PDT) From: Michael Bommarito To: netdev@vger.kernel.org Cc: "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Kees Cook" , stable@vger.kernel.org, linux-kernel@vger.kernel.org, Michael Bommarito Subject: [PATCH net] NFC: digital: bound SENSF response copy into nfc_target Date: Mon, 13 Apr 2026 13:47:15 -0400 Message-ID: <20260413174715.197640-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit digital_in_recv_sensf_res() copies the received SENSF response into struct nfc_target without bounding the copy to target.sensf_res. A full on-wire digital_sensf_res is 19 bytes long, while nfc_target stores 18 bytes, so full-length or oversized responses can overwrite adjacent stack fields before digital_target_found() sees the target. Reject payloads larger than struct digital_sensf_res and clamp the copy into target.sensf_res so valid 19-byte responses keep working while the destination buffer remains bounded. This was confirmed by injecting an oversized SENSF_RES frame via a patched nfcsim driver, producing a kernel panic with the overflow pattern visible on the stack: Kernel panic - not syncing: Kernel mode fault at addr 0x0 Stack: 4141414141414141 4141414141414141 4141414141414141 ... Found by static analysis with Coccinelle (memcpy-from-TLV pattern derived from CVE-2019-14814). Fixes: 8c0695e4998d ("NFC Digital: Add NFC-F technology support") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito --- net/nfc/digital_technology.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c index 63f1b721c71d..5ef49f813f70 100644 --- a/net/nfc/digital_technology.c +++ b/net/nfc/digital_technology.c @@ -768,12 +768,18 @@ static void digital_in_recv_sensf_res(struct nfc_digital_dev *ddev, void *arg, skb_pull(resp, 1); + if (resp->len > sizeof(struct digital_sensf_res)) { + rc = -EIO; + goto exit; + } + memset(&target, 0, sizeof(struct nfc_target)); sensf_res = (struct digital_sensf_res *)resp->data; - memcpy(target.sensf_res, sensf_res, resp->len); - target.sensf_res_len = resp->len; + target.sensf_res_len = min_t(unsigned int, resp->len, + sizeof(target.sensf_res)); + memcpy(target.sensf_res, sensf_res, target.sensf_res_len); memcpy(target.nfcid2, sensf_res->nfcid2, NFC_NFCID2_MAXSIZE); target.nfcid2_len = NFC_NFCID2_MAXSIZE; -- 2.53.0