* [PATCH net v3] nfc: pn533: Clear nfc_target before being used
@ 2022-12-14 1:51 Minsuk Kang
2022-12-14 13:14 ` Krzysztof Kozlowski
2022-12-15 5:00 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Minsuk Kang @ 2022-12-14 1:51 UTC (permalink / raw)
To: krzysztof.kozlowski, netdev
Cc: linma, davem, sameo, linville, dokyungs, jisoo.jang, Minsuk Kang
Fix a slab-out-of-bounds read that occurs in nla_put() called from
nfc_genl_send_target() when target->sensb_res_len, which is duplicated
from an nfc_target in pn533, is too large as the nfc_target is not
properly initialized and retains garbage values. Clear nfc_targets with
memset() before they are used.
Found by a modified version of syzkaller.
BUG: KASAN: slab-out-of-bounds in nla_put
Call Trace:
memcpy
nla_put
nfc_genl_dump_targets
genl_lock_dumpit
netlink_dump
__netlink_dump_start
genl_family_rcv_msg_dumpit
genl_rcv_msg
netlink_rcv_skb
genl_rcv
netlink_unicast
netlink_sendmsg
sock_sendmsg
____sys_sendmsg
___sys_sendmsg
__sys_sendmsg
do_syscall_64
Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
---
v2->v3:
Remove an inappropriate tag
v1->v2:
Clear another nfc_target in pn533_in_dep_link_up_complete()
Fix the commit message
drivers/nfc/pn533/pn533.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
index d9f6367b9993..f0cac1900552 100644
--- a/drivers/nfc/pn533/pn533.c
+++ b/drivers/nfc/pn533/pn533.c
@@ -1295,6 +1295,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg,
if (IS_ERR(resp))
return PTR_ERR(resp);
+ memset(&nfc_target, 0, sizeof(struct nfc_target));
+
rsp = (struct pn533_cmd_jump_dep_response *)resp->data;
rc = rsp->status & PN533_CMD_RET_MASK;
@@ -1926,6 +1928,8 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg,
dev_dbg(dev->dev, "Creating new target\n");
+ memset(&nfc_target, 0, sizeof(struct nfc_target));
+
nfc_target.supported_protocols = NFC_PROTO_NFC_DEP_MASK;
nfc_target.nfcid1_len = 10;
memcpy(nfc_target.nfcid1, rsp->nfcid3t, nfc_target.nfcid1_len);
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net v3] nfc: pn533: Clear nfc_target before being used
2022-12-14 1:51 [PATCH net v3] nfc: pn533: Clear nfc_target before being used Minsuk Kang
@ 2022-12-14 13:14 ` Krzysztof Kozlowski
2022-12-15 5:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Krzysztof Kozlowski @ 2022-12-14 13:14 UTC (permalink / raw)
To: Minsuk Kang, netdev; +Cc: linma, davem, sameo, linville, dokyungs, jisoo.jang
On 14/12/2022 02:51, Minsuk Kang wrote:
> Fix a slab-out-of-bounds read that occurs in nla_put() called from
> nfc_genl_send_target() when target->sensb_res_len, which is duplicated
> from an nfc_target in pn533, is too large as the nfc_target is not
> properly initialized and retains garbage values. Clear nfc_targets with
> memset() before they are used.
>
> Found by a modified version of syzkaller.
>
> BUG: KASAN: slab-out-of-bounds in nla_put
> Call Trace:
> memcpy
> nla_put
> nfc_genl_dump_targets
> genl_lock_dumpit
> netlink_dump
> __netlink_dump_start
> genl_family_rcv_msg_dumpit
> genl_rcv_msg
> netlink_rcv_skb
> genl_rcv
> netlink_unicast
> netlink_sendmsg
> sock_sendmsg
> ____sys_sendmsg
> ___sys_sendmsg
> __sys_sendmsg
> do_syscall_64
>
> Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
> Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
> Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
> ---
> v2->v3:
> Remove an inappropriate tag
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net v3] nfc: pn533: Clear nfc_target before being used
2022-12-14 1:51 [PATCH net v3] nfc: pn533: Clear nfc_target before being used Minsuk Kang
2022-12-14 13:14 ` Krzysztof Kozlowski
@ 2022-12-15 5:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-12-15 5:00 UTC (permalink / raw)
To: Minsuk Kang
Cc: krzysztof.kozlowski, netdev, linma, davem, sameo, linville,
dokyungs, jisoo.jang
Hello:
This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:
On Wed, 14 Dec 2022 10:51:39 +0900 you wrote:
> Fix a slab-out-of-bounds read that occurs in nla_put() called from
> nfc_genl_send_target() when target->sensb_res_len, which is duplicated
> from an nfc_target in pn533, is too large as the nfc_target is not
> properly initialized and retains garbage values. Clear nfc_targets with
> memset() before they are used.
>
> Found by a modified version of syzkaller.
>
> [...]
Here is the summary with links:
- [net,v3] nfc: pn533: Clear nfc_target before being used
https://git.kernel.org/netdev/net/c/9f28157778ed
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-12-15 5:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-14 1:51 [PATCH net v3] nfc: pn533: Clear nfc_target before being used Minsuk Kang
2022-12-14 13:14 ` Krzysztof Kozlowski
2022-12-15 5:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).