[PATCH] nfc: nci: fix OOB heap read in nci_core_init_rsp_packet

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] nfc: nci: fix OOB heap read in nci_core_init_rsp_packet_v2()
@ 2026-04-04 18:00 Lekë Hapçiu
  2026-04-09 10:17 ` Simon Horman
  0 siblings, 1 reply; 2+ messages in thread
From: Lekë Hapçiu @ 2026-04-04 18:00 UTC (permalink / raw)
  To: netdev; +Cc: gregkh, linux-nfc, davem, kuba, Lekë Hapçiu

From: Lekë Hapçiu <framemain@outlook.com>

nci_core_init_rsp_packet_v2() walks the chip-supplied
supported_rf_interfaces[] flexible array using a plain pointer
with no bounds check.  Each iteration advances supported_rf_interface
by (1 + 1 + rf_extension_cnt) bytes, where rf_extension_cnt comes
directly from the chip.  A hostile NCI v2 chip can set
rf_extension_cnt=255 per entry and num_supported_rf_interfaces=4,
driving the pointer up to ~1028 bytes past the end of the skb into
adjacent kernel heap.

Add two guards per loop iteration:
 - check that at least 2 bytes remain before reading the interface
   byte and extension count byte;
 - check that sufficient bytes remain for the declared extension
   block before advancing over it.

Also add an upfront sizeof(*rsp) check so that accessing the fixed
header fields (nfcc_features, max_logical_connections, ...) is safe
before the loop is reached.

Fixes: bcd684aace34 ("net/nfc/nci: Support NCI 2.x initial sequence")
Signed-off-by: Lekë Hapçiu <framemain@outlook.com>
---
 net/nfc/nci/rsp.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/net/nfc/nci/rsp.c b/net/nfc/nci/rsp.c
index 4aaf362b9..ecd360b59 100644
--- a/net/nfc/nci/rsp.c
+++ b/net/nfc/nci/rsp.c
@@ -96,10 +96,17 @@ static u8 nci_core_init_rsp_packet_v2(struct nci_dev *ndev,
 				      const struct sk_buff *skb)
 {
 	const struct nci_core_init_rsp_nci_ver2 *rsp = (void *)skb->data;
-	const u8 *supported_rf_interface = rsp->supported_rf_interfaces;
+	const u8 *supported_rf_interface;
+	const u8 *end = skb->data + skb->len;
 	u8 rf_interface_idx = 0;
 	u8 rf_extension_cnt = 0;
 
+	if (skb->len < sizeof(*rsp)) {
+		pr_err("CORE_INIT_RSP v2 too short: len=%u need=%zu\n",
+		       skb->len, sizeof(*rsp));
+		return NCI_STATUS_SYNTAX_ERROR;
+	}
+
 	pr_debug("status %x\n", rsp->status);
 
 	if (rsp->status != NCI_STATUS_OK)
@@ -112,11 +119,22 @@ static u8 nci_core_init_rsp_packet_v2(struct nci_dev *ndev,
 		min((int)ndev->num_supported_rf_interfaces,
 		    NCI_MAX_SUPPORTED_RF_INTERFACES);
 
+	supported_rf_interface = rsp->supported_rf_interfaces;
 	while (rf_interface_idx < ndev->num_supported_rf_interfaces) {
+		if (supported_rf_interface + 2 > end) {
+			pr_err("CORE_INIT_RSP v2 truncated at rf_interface %d\n",
+			       rf_interface_idx);
+			return NCI_STATUS_SYNTAX_ERROR;
+		}
 		ndev->supported_rf_interfaces[rf_interface_idx++] = *supported_rf_interface++;
 
 		/* skip rf extension parameters */
 		rf_extension_cnt = *supported_rf_interface++;
+		if (supported_rf_interface + rf_extension_cnt > end) {
+			pr_err("CORE_INIT_RSP v2 rf_extension overflow at idx %d\n",
+			       rf_interface_idx - 1);
+			return NCI_STATUS_SYNTAX_ERROR;
+		}
 		supported_rf_interface += rf_extension_cnt;
 	}
 
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] nfc: nci: fix OOB heap read in nci_core_init_rsp_packet_v2()
  2026-04-04 18:00 [PATCH] nfc: nci: fix OOB heap read in nci_core_init_rsp_packet_v2() Lekë Hapçiu
@ 2026-04-09 10:17 ` Simon Horman
  0 siblings, 0 replies; 2+ messages in thread
From: Simon Horman @ 2026-04-09 10:17 UTC (permalink / raw)
  To: Lekë Hapçiu
  Cc: netdev, gregkh, linux-nfc, davem, kuba, Lekë Hapçiu

On Sat, Apr 04, 2026 at 08:00:49PM +0200, Lekë Hapçiu wrote:
> From: Lekë Hapçiu <framemain@outlook.com>
> 
> nci_core_init_rsp_packet_v2() walks the chip-supplied
> supported_rf_interfaces[] flexible array using a plain pointer
> with no bounds check.  Each iteration advances supported_rf_interface
> by (1 + 1 + rf_extension_cnt) bytes, where rf_extension_cnt comes
> directly from the chip.  A hostile NCI v2 chip can set
> rf_extension_cnt=255 per entry and num_supported_rf_interfaces=4,
> driving the pointer up to ~1028 bytes past the end of the skb into
> adjacent kernel heap.
> 
> Add two guards per loop iteration:
>  - check that at least 2 bytes remain before reading the interface
>    byte and extension count byte;
>  - check that sufficient bytes remain for the declared extension
>    block before advancing over it.
> 
> Also add an upfront sizeof(*rsp) check so that accessing the fixed
> header fields (nfcc_features, max_logical_connections, ...) is safe
> before the loop is reached.
> 
> Fixes: bcd684aace34 ("net/nfc/nci: Support NCI 2.x initial sequence")
> Signed-off-by: Lekë Hapçiu <framemain@outlook.com>

I believe that my review of "[PATCH] nfc: nci: fix OOB heap read in
nci_core_init_rsp_packet_v1()" is relevant here.

- https://lore.kernel.org/all/20260408190505.GK469338@kernel.org/

I would appreciate it if you could create a v2 patchset, including
an updated version of this patch and that one.

Thanks!

-- 
pw-bot: changes-requested

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-09 10:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-04 18:00 [PATCH] nfc: nci: fix OOB heap read in nci_core_init_rsp_packet_v2() Lekë Hapçiu
2026-04-09 10:17 ` Simon Horman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox