9da4a0411f3455e3885831d0758bee3e3d565bbc - kernel/msm-4.9

commit	9da4a0411f3455e3885831d0758bee3e3d565bbc	[log] [tgz]
author	Minsuk Kang <linuxlovemin@yonsei.ac.kr>	Wed Dec 14 10:51:39 2022 +0900
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	Sat Jan 07 12:07:29 2023 +0100
tree	eb9689435e1c2f27c728a4e40595acc26998dc63
parent	7f1cda9c19ba45453abf3a1b305fff3e81140200 [diff]

nfc: pn533: Clear nfc_target before being used

[ Upstream commit 9f28157778ede0d4f183f7ab3b46995bb400abbe ]

Fix a slab-out-of-bounds read that occurs in nla_put() called from
nfc_genl_send_target() when target->sensb_res_len, which is duplicated
from an nfc_target in pn533, is too large as the nfc_target is not
properly initialized and retains garbage values. Clear nfc_targets with
memset() before they are used.

Found by a modified version of syzkaller.

BUG: KASAN: slab-out-of-bounds in nla_put
Call Trace:
 memcpy
 nla_put
 nfc_genl_dump_targets
 genl_lock_dumpit
 netlink_dump
 __netlink_dump_start
 genl_family_rcv_msg_dumpit
 genl_rcv_msg
 netlink_rcv_skb
 genl_rcv
 netlink_unicast
 netlink_sendmsg
 sock_sendmsg
 ____sys_sendmsg
 ___sys_sendmsg
 __sys_sendmsg
 do_syscall_64

Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/nfc/pn533/pn533.c[diff]

1 file changed

tree: eb9689435e1c2f27c728a4e40595acc26998dc63