diff options
author | Minsuk Kang <linuxlovemin@yonsei.ac.kr> | 2022-12-14 02:51:39 +0100 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2022-12-15 05:51:29 +0100 |
commit | 9f28157778ede0d4f183f7ab3b46995bb400abbe (patch) | |
tree | b6ab21449064efde50e02fa5e0b700cc2a580377 /net | |
parent | net: enetc: avoid buffer leaks on xdp_do_redirect() failure (diff) | |
download | linux-9f28157778ede0d4f183f7ab3b46995bb400abbe.tar.xz linux-9f28157778ede0d4f183f7ab3b46995bb400abbe.zip |
nfc: pn533: Clear nfc_target before being used
Fix a slab-out-of-bounds read that occurs in nla_put() called from
nfc_genl_send_target() when target->sensb_res_len, which is duplicated
from an nfc_target in pn533, is too large as the nfc_target is not
properly initialized and retains garbage values. Clear nfc_targets with
memset() before they are used.
Found by a modified version of syzkaller.
BUG: KASAN: slab-out-of-bounds in nla_put
Call Trace:
memcpy
nla_put
nfc_genl_dump_targets
genl_lock_dumpit
netlink_dump
__netlink_dump_start
genl_family_rcv_msg_dumpit
genl_rcv_msg
netlink_rcv_skb
genl_rcv
netlink_unicast
netlink_sendmsg
sock_sendmsg
____sys_sendmsg
___sys_sendmsg
__sys_sendmsg
do_syscall_64
Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net')
0 files changed, 0 insertions, 0 deletions