mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-29 13:53:33 +00:00
nfc: pn533: Clear nfc_target before being used
[ Upstream commit9f28157778
] Fix a slab-out-of-bounds read that occurs in nla_put() called from nfc_genl_send_target() when target->sensb_res_len, which is duplicated from an nfc_target in pn533, is too large as the nfc_target is not properly initialized and retains garbage values. Clear nfc_targets with memset() before they are used. Found by a modified version of syzkaller. BUG: KASAN: slab-out-of-bounds in nla_put Call Trace: memcpy nla_put nfc_genl_dump_targets genl_lock_dumpit netlink_dump __netlink_dump_start genl_family_rcv_msg_dumpit genl_rcv_msg netlink_rcv_skb genl_rcv netlink_unicast netlink_sendmsg sock_sendmsg ____sys_sendmsg ___sys_sendmsg __sys_sendmsg do_syscall_64 Fixes:673088fb42
("NFC: pn533: Send ATR_REQ directly for active device detection") Fixes:361f3cb7f9
("NFC: DEP link hook implementation for pn533") Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
306526331e
commit
e491285b4d
1 changed files with 4 additions and 0 deletions
|
@ -1295,6 +1295,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg,
|
|||
if (IS_ERR(resp))
|
||||
return PTR_ERR(resp);
|
||||
|
||||
memset(&nfc_target, 0, sizeof(struct nfc_target));
|
||||
|
||||
rsp = (struct pn533_cmd_jump_dep_response *)resp->data;
|
||||
|
||||
rc = rsp->status & PN533_CMD_RET_MASK;
|
||||
|
@ -1926,6 +1928,8 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg,
|
|||
|
||||
dev_dbg(dev->dev, "Creating new target\n");
|
||||
|
||||
memset(&nfc_target, 0, sizeof(struct nfc_target));
|
||||
|
||||
nfc_target.supported_protocols = NFC_PROTO_NFC_DEP_MASK;
|
||||
nfc_target.nfcid1_len = 10;
|
||||
memcpy(nfc_target.nfcid1, rsp->nfcid3t, nfc_target.nfcid1_len);
|
||||
|
|
Loading…
Reference in a new issue