mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-26 12:26:11 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/nfc
History
Fedor Pchelkin 5c0c5ffaed nfc: nci: free rx_data_reassembly skb on NCI device cleanup 
commit bfb007aebe upstream.

rx_data_reassembly skb is stored during NCI data exchange for processing
fragmented packets. It is dropped only when the last fragment is processed
or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.
However, the NCI device may be deallocated before that which leads to skb
leak.

As by design the rx_data_reassembly skb is bound to the NCI device and
nothing prevents the device to be freed before the skb is processed in
some way and cleaned, free it on the NCI device cleanup.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 6a2968aaf5 ("NFC: basic NCI protocol implementation")
Cc: stable@vger.kernel.org
Reported-by: syzbot+6b7c68d9c21e4ee4251b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/000000000000f43987060043da7b@google.com/
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-02-23 09:12:37 +01:00
..
hci NFC: hci: Split memcpy() of struct hcp_message flexible array 2022-09-27 07:45:18 -07:00
nci nfc: nci: free rx_data_reassembly skb on NCI device cleanup 2024-02-23 09:12:37 +01:00
af_nfc.c nfc: fix error handling of nfc_proto_register() 2021-10-13 17:32:38 -07:00
core.c net: nfc: Directly use ida_alloc()/free() 2022-05-28 15:28:47 +01:00
digital.h
digital_core.c NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() 2021-10-13 17:44:29 -07:00
digital_dep.c
digital_technology.c NFC: digital: fix possible memory leak in digital_in_send_sdd_req() 2021-10-13 17:44:29 -07:00
Kconfig
llcp.h net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-19 16:21:13 +02:00
llcp_commands.c net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-19 16:21:13 +02:00
llcp_core.c nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local 2024-01-10 17:10:22 +01:00
llcp_sock.c net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-19 16:21:13 +02:00
Makefile
netlink.c net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-19 16:21:13 +02:00
nfc.h net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-19 16:21:13 +02:00
rawsock.c net: remove noblock parameter from skb_recv_datagram() 2022-04-06 13:45:26 +01:00