| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Dec 2022 10:41:20 +0900
From: Minsuk Kang <linuxlovemin@...sei.ac.kr>
To: krzysztof.kozlowski@...aro.org, netdev@...r.kernel.org
Cc: linma@....edu.cn, davem@...emloft.net, sameo@...ux.intel.com,
dokyungs@...sei.ac.kr, jisoo.jang@...sei.ac.kr,
Minsuk Kang <linuxlovemin@...sei.ac.kr>
Subject: [PATCH net] nfc: pn533: Clear nfc_target in pn533_poll_dep_complete() before being used
This patch fixes a slab-out-of-bounds read in pn533 that occurs in
nla_put() called from nfc_genl_send_target() when target->sensb_res_len,
which is duplicated from nfc_target in pn533_poll_dep_complete(), is
too large as the nfc_target is not properly initialized and retains
garbage values. The patch clears the nfc_target before it is used.
Found by a modified version of syzkaller.
==================================================================
BUG: KASAN: slab-out-of-bounds in nla_put+0xe0/0x120
Read of size 94 at addr ffff888109d1dfa0 by task syz-executor/4367
CPU: 0 PID: 4367 Comm: syz-executor Not tainted 5.14.0+ #171
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8e/0xd1
print_address_description.constprop.0.cold+0x93/0x334
kasan_report.cold+0x83/0xdf
kasan_check_range+0x14e/0x1b0
memcpy+0x20/0x60
nla_put+0xe0/0x120
nfc_genl_dump_targets+0x74f/0xb20
genl_lock_dumpit+0x65/0x90
netlink_dump+0x4b0/0xa40
__netlink_dump_start+0x5dc/0x8c0
genl_family_rcv_msg_dumpit.isra.0+0x2a1/0x300
genl_rcv_msg+0x3c8/0x4f0
netlink_rcv_skb+0x130/0x3b0
genl_rcv+0x29/0x40
netlink_unicast+0x4a1/0x6a0
netlink_sendmsg+0x788/0xc90
sock_sendmsg+0xca/0x110
____sys_sendmsg+0x63f/0x780
___sys_sendmsg+0xfb/0x170
__sys_sendmsg+0xd8/0x190
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x46b55d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f167a757c48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000686b60 RCX: 000000000046b55d
RDX: 0000000000000000 RSI: 000000004004fb80 RDI: 0000000000000009
RBP: 00000000004d9ba0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000686b60
R13: 0000000000686b68 R14: 00007ffd2f2facc0 R15: 00007f167a757dc0
Allocated by task 0:
(stack is not available)
The buggy address belongs to the object at ffff888109d1df80
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 32 bytes inside of
96-byte region [ffff888109d1df80, ffff888109d1dfe0)
The buggy address belongs to the page:
page:ffffea0004274740 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109d1d
flags: 0x200000000000200(slab|node=0|zone=2)
raw: 0200000000000200 0000000000000000 dead000000000122 ffff888100041780
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 4366, ts 19572546791, free_ts 19568585127
prep_new_page+0x1aa/0x240
get_page_from_freelist+0x159a/0x27c0
__alloc_pages+0x2da/0x6a0
alloc_pages+0xec/0x1e0
allocate_slab+0x380/0x4e0
___slab_alloc+0x5bc/0x940
__slab_alloc+0x6d/0x80
__kmalloc+0x329/0x390
tomoyo_supervisor+0xb7f/0xd10
tomoyo_path_permission+0x26a/0x3a0
tomoyo_check_open_permission+0x2b0/0x310
tomoyo_file_open+0x99/0xc0
security_file_open+0x57/0x470
do_dentry_open+0x318/0xfe0
path_openat+0x1852/0x2310
do_filp_open+0x1c6/0x290
page last free stack trace:
free_pcp_prepare+0x3d3/0x7f0
free_unref_page+0x1e/0x3d0
unfreeze_partials.isra.0+0x211/0x2f0
put_cpu_partial+0x66/0x160
qlist_free_all+0x5a/0xc0
kasan_quarantine_reduce+0x13d/0x180
__kasan_slab_alloc+0x73/0x80
slab_post_alloc_hook+0x4d/0x490
__kmalloc+0x180/0x390
tomoyo_supervisor+0xb7f/0xd10
tomoyo_path_permission+0x26a/0x3a0
tomoyo_path_perm+0x2c1/0x3c0
security_inode_getattr+0xc2/0x130
vfs_getattr+0x27/0x60
vfs_fstat+0x3e/0x80
__do_sys_newfstat+0x7d/0xf0
Memory state around the buggy address:
ffff888109d1de80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff888109d1df00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff888109d1df80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
^
ffff888109d1e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888109d1e080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
Reported-by: Dokyung Song <dokyungs@...sei.ac.kr>
Reported-by: Jisoo Jang <jisoo.jang@...sei.ac.kr>
Reported-by: Minsuk Kang <linuxlovemin@...sei.ac.kr>
Signed-off-by: Minsuk Kang <linuxlovemin@...sei.ac.kr>
---
drivers/nfc/pn533/pn533.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
index d9f6367b9993..c6a611622668 100644
--- a/drivers/nfc/pn533/pn533.c
+++ b/drivers/nfc/pn533/pn533.c
@@ -1295,6 +1295,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg,
if (IS_ERR(resp))
return PTR_ERR(resp);
+ memset(&nfc_target, 0, sizeof(struct nfc_target));
+
rsp = (struct pn533_cmd_jump_dep_response *)resp->data;
rc = rsp->status & PN533_CMD_RET_MASK;
--
2.25.1
Powered by blists - more mailing lists