* [PATCH] nfc: port100: guard against incomplete USB frames
@ 2025-11-17 4:22 =?gb18030?B?Zmx5bm5uY2hlbiizwszss/4p?=
2025-11-21 19:45 ` Simon Horman
0 siblings, 1 reply; 2+ messages in thread
From: =?gb18030?B?Zmx5bm5uY2hlbiizwszss/4p?= @ 2025-11-17 4:22 UTC (permalink / raw)
To: krzk; +Cc: netdev, linux-kernel
Discovered by Atuin - Automated Vulnerability Discovery Engine.
Validate that the URB payload is long enough for the frame header and the
advertised data length before accessing it, so truncated transfers are
rejected with -EIO, preventing the driver from reading out-of-bounds and
leaking kernel memory to USB devices.
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
---
drivers/nfc/port100.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c
index 00d8ea6dc..7cd439f66 100644
--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -568,11 +568,17 @@ static void port100_tx_update_payload_len(void *_frame, int len)
le16_add_cpu(&frame->datalen, len);
}
-static bool port100_rx_frame_is_valid(const void *_frame)
+static bool port100_rx_frame_is_valid(const void *_frame, size_t len)
{
u8 checksum;
const struct port100_frame *frame = _frame;
+ if (len < sizeof(*frame))
+ return false;
+
+ if (len < (size_t)(le16_to_cpu(frame->datalen)) + sizeof(*frame))
+ return false;
+
if (frame->start_frame != cpu_to_be16(PORT100_FRAME_SOF) ||
frame->extended_frame != cpu_to_be16(PORT100_FRAME_EXT))
return false;
@@ -636,7 +642,7 @@ static void port100_recv_response(struct urb *urb)
in_frame = dev->in_urb->transfer_buffer;
- if (!port100_rx_frame_is_valid(in_frame)) {
+ if (!port100_rx_frame_is_valid(in_frame, urb->actual_length)) {
nfc_err(&dev->interface->dev, "Received an invalid frame\n");
cmd->status = -EIO;
goto sched_wq;
--
2.39.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] nfc: port100: guard against incomplete USB frames
2025-11-17 4:22 [PATCH] nfc: port100: guard against incomplete USB frames =?gb18030?B?Zmx5bm5uY2hlbiizwszss/4p?=
@ 2025-11-21 19:45 ` Simon Horman
0 siblings, 0 replies; 2+ messages in thread
From: Simon Horman @ 2025-11-21 19:45 UTC (permalink / raw)
To: flynnnchen(陈天楚); +Cc: krzk, netdev, linux-kernel
On Mon, Nov 17, 2025 at 12:22:15PM +0800, flynnnchen(陈天楚) wrote:
> Discovered by Atuin - Automated Vulnerability Discovery Engine.
>
> Validate that the URB payload is long enough for the frame header and the
> advertised data length before accessing it, so truncated transfers are
> rejected with -EIO, preventing the driver from reading out-of-bounds and
> leaking kernel memory to USB devices.
>
> Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Thanks,
FWIIW, I agree with your analysis and solution.
I would add a fixes tag, as it is a fix for code present in the
net tree.
Perhaps this one: this seems to be the commit where the problem
was introduced.
Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
And it would be best to explicitly target such a fix at the net
tree, like this:
Subject: [PATCH net] ...
On a process note, as the from address of your email doesn't match
the Signed-off-by line, I think it would be best to include a From:
line at the very beginning of the commit message, with your name
matching the Signed-off-by line.
i.e.
From: Tianchu Chen <flynnnchen@tencent.com>
But over all this looks good to me.
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-21 19:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-17 4:22 [PATCH] nfc: port100: guard against incomplete USB frames =?gb18030?B?Zmx5bm5uY2hlbiizwszss/4p?=
2025-11-21 19:45 ` Simon Horman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).