| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024091335-CVE-2024-46676-0b05@gregkh>
Date: Fri, 13 Sep 2024 07:30:37 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-46676: nfc: pn533: Add poll mod list filling check
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: Add poll mod list filling check
In case of im_protocols value is 1 and tm_protocols value is 0 this
combination successfully passes the check
'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().
But then after pn533_poll_create_mod_list() call in pn533_start_poll()
poll mod list will remain empty and dev->poll_mod_count will remain 0
which lead to division by zero.
Normally no im protocol has value 1 in the mask, so this combination is
not expected by driver. But these protocol values actually come from
userspace via Netlink interface (NFC_CMD_START_POLL operation). So a
broken or malicious program may pass a message containing a "bad"
combination of protocol parameter values so that dev->poll_mod_count
is not incremented inside pn533_poll_create_mod_list(), thus leading
to division by zero.
Call trace looks like:
nfc_genl_start_poll()
nfc_start_poll()
->start_poll()
pn533_start_poll()
Add poll mod list filling check.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
The Linux kernel CVE team has assigned CVE-2024-46676 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.12 with commit dfccd0f58044 and fixed in 5.4.283 with commit c5e05237444f
Issue introduced in 3.12 with commit dfccd0f58044 and fixed in 5.10.225 with commit 8ddaea033de0
Issue introduced in 3.12 with commit dfccd0f58044 and fixed in 5.15.166 with commit 7535db0624a2
Issue introduced in 3.12 with commit dfccd0f58044 and fixed in 6.1.108 with commit 7ecd3dd4f8ee
Issue introduced in 3.12 with commit dfccd0f58044 and fixed in 6.6.49 with commit 56ad559cf6d8
Issue introduced in 3.12 with commit dfccd0f58044 and fixed in 6.10.8 with commit 64513d0e546a
Issue introduced in 3.12 with commit dfccd0f58044 and fixed in 6.11-rc6 with commit febccb39255f
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-46676
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/nfc/pn533/pn533.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c5e05237444f32f6cfe5d907603a232c77a08b31
https://git.kernel.org/stable/c/8ddaea033de051ed61b39f6b69ad54a411172b33
https://git.kernel.org/stable/c/7535db0624a2dede374c42040808ad9a9101d723
https://git.kernel.org/stable/c/7ecd3dd4f8eecd3309432156ccfe24768e009ec4
https://git.kernel.org/stable/c/56ad559cf6d87f250a8d203b555dfc3716afa946
https://git.kernel.org/stable/c/64513d0e546a1f19e390f7e5eba3872bfcbdacf5
https://git.kernel.org/stable/c/febccb39255f9df35527b88c953b2e0deae50e53
Powered by blists - more mailing lists