From: Greg KH <gregkh@linuxfoundation.org>
To: Bryam Vargas <hexlabsecurity@proton.me>
Cc: David Heidelberg <david+nfc@ixit.cz>,
oe-linux-nfc@lists.linux.dev, netdev@vger.kernel.org,
stable@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] nfc: nci: add data_len bound checks to activation parameter extractors
Date: Sun, 7 Jun 2026 11:53:36 +0200 [thread overview]
Message-ID: <2026060725-husked-latter-8231@gregkh> (raw)
In-Reply-To: <20260607094822.322125-1-hexlabsecurity@proton.me>
On Sun, Jun 07, 2026 at 09:48:26AM +0000, Bryam Vargas wrote:
> nci_extract_activation_params_iso_dep() and
> nci_extract_activation_params_nfc_dep() read an inner length byte from
> the NCI RF_INTF_ACTIVATED_NTF payload and use it to memcpy() into fixed
> kernel buffers, but neither function receives the caller-validated
> activation_params_len. A crafted NCI notification with
> activation_params_len=1 and an inner length byte of up to 20 (NFC-A) or
> 50 (NFC-B) causes memcpy() to read that many bytes past the one valid
> byte in the activation params region -- a slab out-of-bounds read of
> kernel memory adjacent to the NCI skb.
>
> The sibling nci_extract_rf_params_*() family was given equivalent
> protection by commit 571dcbeb8e63 ("net: nfc: nci: Fix parameter
> validation for packet data"), but the two activation parameter
> extractors were not updated at that time.
>
> Add a data_len parameter to both functions, guard against an empty
> region before consuming the inner length byte, decrement the remaining
> count after consuming it, and clamp the copy length to what is actually
> available. Update both call sites to pass ntf.activation_params_len,
> which is already validated against the skb at ntf.c:801.
>
> Fixes: e8c0dacd9836 ("NFC: Update names and structs to NCI spec 1.0 d18")
> Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
> ---
> Verification (NFC-A ISO-DEP, NFC_ATS_MAXSIZE = 20):
>
> data_len inner_len without patch with patch
> -------- --------- ------------------------- --------------------
> 1 0 rats_res_len=0, clean same
> 1 1 memcpy +1B OOB clamped to 0, clean
> 1 20 memcpy +20B OOB <-- PoC clamped to 0, clean
> 2 2 memcpy +1B OOB clamped to 1, clean
> 21 20 memcpy 20B clean same
>
> NFC-B (attrib_res, max 50) and NFC-DEP poll/listen (atr_res/atr_req,
> max 62) have the same shape and receive the same fix.
>
> net/nfc/nci/ntf.c | 26 ++++++++++++++++++++++----
> 1 file changed, 22 insertions(+), 4 deletions(-)
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
prev parent reply other threads:[~2026-06-07 9:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-07 9:48 [PATCH] nfc: nci: add data_len bound checks to activation parameter extractors Bryam Vargas
2026-06-07 9:53 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026060725-husked-latter-8231@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=david+nfc@ixit.cz \
--cc=hexlabsecurity@proton.me \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oe-linux-nfc@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox