[PATCH net v2 0/3] nfc: fix chained TLV parsing and integer underflow vulnerabilities

["Lekë Hapçiu" <snowwlake@icloud.com>]

From: Lekë Hapçiu <framemain@outlook.com>

These three patches fix vulnerabilities in the NFC LLCP and NCI subsystems
that form an exploit chain.  Each bug is independently reachable from an
unauthenticated NFC peer at ~4 cm range; together they create a path from
controlled heap disclosure to heap corruption.

--- Chain summary ---

  [1/3]  nci/ntf.c — nci_store_general_bytes_nfc_dep()
         u8 integer underflow: when the peer's ATR_RES/ATR_REQ length field
         is smaller than NFC_ATR_RES_GT_OFFSET (15) or NFC_ATR_REQ_GT_OFFSET
         (14), the subtraction wraps to a large u8 value.  min_t(__u8, ...)
         clamps to NFC_ATR_RES_GB_MAXSIZE (47), and a 47-byte memcpy reads
         out-of-bounds data into ndev->remote_gb[].  This corrupted buffer
         is subsequently parsed by nfc_llcp_parse_gb_tlv().

  [2/3]  llcp_commands.c — nfc_llcp_parse_gb_tlv() +
                           nfc_llcp_parse_connection_tlv()
         Two bugs in both TLV parsers.  The first, a u8 offset truncation
         causing an infinite loop, was addressed in v1 of this series.
         This version adds the fix identified during review by Simon Horman:
         the `length` byte is read from peer-controlled data with no check
         that the remainder of the array can accommodate `length` more bytes.
         A crafted `length` advances the `tlv` pointer into adjacent kernel
         memory; the next iteration reads tlv[0]/tlv[1] from that location.
         When combined with [1/3], a crafted `length` in the garbage-filled
         remote_gb[] can walk `tlv` past nfc_llcp_local.remote_gb[] and into
         adjacent struct fields, including sdreq_timer.function at ~+176 bytes,
         enabling a kernel pointer disclosure via sock->remote_miu/getsockopt.

  [3/3]  llcp_core.c — nfc_llcp_recv_snl()
         The SNL TLV parsing loop carries the same missing guards as [2/3].
         Additionally: LLCP_TLV_SDREQ accesses tlv[2] and computes
         `service_name_len = length - 1` (u8 underflow to 255 when length==0,
         causing a 255-byte kernel memory scan via strncmp); and
         LLCP_TLV_SDRES accesses tlv[2] and tlv[3] without verifying
         length >= 2.  Unlike the parsers in [2/3], SDREQ/SDRES are processed
         directly without the llcp_tlv_length[] table protection.  A missing
         skb->len guard also allows tlv_len to underflow to ~65534 if
         skb->len < LLCP_HEADER_SIZE.

--- Individual CVSS (AV:A/AC:L/PR:N/UI:N/S:U) ---

  [1/3]  C:H/I:N/A:L  — 6.5
  [2/3]  C:H/I:N/A:L  — 6.5
  [3/3]  C:H/I:N/A:L  — 6.5

--- Chain CVSS ---

  AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H — 8.3

  KASLR bypass via [1/3]+[2/3] makes [3/3] reliably exploitable without
  the race-condition timing required against the bugs in isolation.

All patches carry Cc: stable@vger.kernel.org.


Lekë Hapçiu (3):
  nfc: nci: fix u8 underflow in nci_store_general_bytes_nfc_dep
  nfc: llcp: add TLV length bounds checks in parse_gb_tlv and
    parse_connection_tlv
  nfc: llcp: fix TLV parsing OOB and length underflow in
    nfc_llcp_recv_snl

 net/nfc/llcp_commands.c | 22 ++++++++++++++++++++++
 net/nfc/llcp_core.c     | 13 +++++++++++++
 net/nfc/nci/ntf.c       | 22 ++++++++++++++--------
 3 files changed, 49 insertions(+), 8 deletions(-)

-- 
2.51.0