lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <D9E78B690F07660A+202511171222138721171@tencent.com>
Date: Mon, 17 Nov 2025 12:22:15 +0800
From: "flynnnchen(陈天楚)" <flynnnchen@...cent.com>
To: krzk <krzk@...nel.org>
Cc: netdev <netdev@...r.kernel.org>, 
	linux-kernel <linux-kernel@...r.kernel.org>
Subject: [PATCH] nfc: port100: guard against incomplete USB frames

Discovered by Atuin - Automated Vulnerability Discovery Engine.

Validate that the URB payload is long enough for the frame header and the
advertised data length before accessing it, so truncated transfers are
rejected with -EIO, preventing the driver from reading out-of-bounds and
leaking kernel memory to USB devices.

Signed-off-by: Tianchu Chen <flynnnchen@...cent.com>
---
 drivers/nfc/port100.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c
index 00d8ea6dc..7cd439f66 100644
--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -568,11 +568,17 @@ static void port100_tx_update_payload_len(void *_frame, int len)
 	le16_add_cpu(&frame->datalen, len);
 }
 
-static bool port100_rx_frame_is_valid(const void *_frame)
+static bool port100_rx_frame_is_valid(const void *_frame, size_t len)
 {
 	u8 checksum;
 	const struct port100_frame *frame = _frame;
 
+	if (len < sizeof(*frame))
+		return false;
+
+	if (len < (size_t)(le16_to_cpu(frame->datalen)) + sizeof(*frame))
+		return false;
+
 	if (frame->start_frame != cpu_to_be16(PORT100_FRAME_SOF) ||
 	    frame->extended_frame != cpu_to_be16(PORT100_FRAME_EXT))
 		return false;
@@ -636,7 +642,7 @@ static void port100_recv_response(struct urb *urb)
 
 	in_frame = dev->in_urb->transfer_buffer;
 
-	if (!port100_rx_frame_is_valid(in_frame)) {
+	if (!port100_rx_frame_is_valid(in_frame, urb->actual_length)) {
 		nfc_err(&dev->interface->dev, "Received an invalid frame\n");
 		cmd->status = -EIO;
 		goto sched_wq;
-- 
2.39.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ