lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Dec 2022 10:41:20 +0900 From: Minsuk Kang <linuxlovemin@...sei.ac.kr> To: krzysztof.kozlowski@...aro.org, netdev@...r.kernel.org Cc: linma@....edu.cn, davem@...emloft.net, sameo@...ux.intel.com, dokyungs@...sei.ac.kr, jisoo.jang@...sei.ac.kr, Minsuk Kang <linuxlovemin@...sei.ac.kr> Subject: [PATCH net] nfc: pn533: Clear nfc_target in pn533_poll_dep_complete() before being used This patch fixes a slab-out-of-bounds read in pn533 that occurs in nla_put() called from nfc_genl_send_target() when target->sensb_res_len, which is duplicated from nfc_target in pn533_poll_dep_complete(), is too large as the nfc_target is not properly initialized and retains garbage values. The patch clears the nfc_target before it is used. Found by a modified version of syzkaller. ================================================================== BUG: KASAN: slab-out-of-bounds in nla_put+0xe0/0x120 Read of size 94 at addr ffff888109d1dfa0 by task syz-executor/4367 CPU: 0 PID: 4367 Comm: syz-executor Not tainted 5.14.0+ #171 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x8e/0xd1 print_address_description.constprop.0.cold+0x93/0x334 kasan_report.cold+0x83/0xdf kasan_check_range+0x14e/0x1b0 memcpy+0x20/0x60 nla_put+0xe0/0x120 nfc_genl_dump_targets+0x74f/0xb20 genl_lock_dumpit+0x65/0x90 netlink_dump+0x4b0/0xa40 __netlink_dump_start+0x5dc/0x8c0 genl_family_rcv_msg_dumpit.isra.0+0x2a1/0x300 genl_rcv_msg+0x3c8/0x4f0 netlink_rcv_skb+0x130/0x3b0 genl_rcv+0x29/0x40 netlink_unicast+0x4a1/0x6a0 netlink_sendmsg+0x788/0xc90 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x63f/0x780 ___sys_sendmsg+0xfb/0x170 __sys_sendmsg+0xd8/0x190 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x46b55d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f167a757c48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000686b60 RCX: 000000000046b55d RDX: 0000000000000000 RSI: 000000004004fb80 RDI: 0000000000000009 RBP: 00000000004d9ba0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000686b60 R13: 0000000000686b68 R14: 00007ffd2f2facc0 R15: 00007f167a757dc0 Allocated by task 0: (stack is not available) The buggy address belongs to the object at ffff888109d1df80 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 32 bytes inside of 96-byte region [ffff888109d1df80, ffff888109d1dfe0) The buggy address belongs to the page: page:ffffea0004274740 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109d1d flags: 0x200000000000200(slab|node=0|zone=2) raw: 0200000000000200 0000000000000000 dead000000000122 ffff888100041780 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 4366, ts 19572546791, free_ts 19568585127 prep_new_page+0x1aa/0x240 get_page_from_freelist+0x159a/0x27c0 __alloc_pages+0x2da/0x6a0 alloc_pages+0xec/0x1e0 allocate_slab+0x380/0x4e0 ___slab_alloc+0x5bc/0x940 __slab_alloc+0x6d/0x80 __kmalloc+0x329/0x390 tomoyo_supervisor+0xb7f/0xd10 tomoyo_path_permission+0x26a/0x3a0 tomoyo_check_open_permission+0x2b0/0x310 tomoyo_file_open+0x99/0xc0 security_file_open+0x57/0x470 do_dentry_open+0x318/0xfe0 path_openat+0x1852/0x2310 do_filp_open+0x1c6/0x290 page last free stack trace: free_pcp_prepare+0x3d3/0x7f0 free_unref_page+0x1e/0x3d0 unfreeze_partials.isra.0+0x211/0x2f0 put_cpu_partial+0x66/0x160 qlist_free_all+0x5a/0xc0 kasan_quarantine_reduce+0x13d/0x180 __kasan_slab_alloc+0x73/0x80 slab_post_alloc_hook+0x4d/0x490 __kmalloc+0x180/0x390 tomoyo_supervisor+0xb7f/0xd10 tomoyo_path_permission+0x26a/0x3a0 tomoyo_path_perm+0x2c1/0x3c0 security_inode_getattr+0xc2/0x130 vfs_getattr+0x27/0x60 vfs_fstat+0x3e/0x80 __do_sys_newfstat+0x7d/0xf0 Memory state around the buggy address: ffff888109d1de80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888109d1df00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >ffff888109d1df80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ^ ffff888109d1e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888109d1e080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection") Reported-by: Dokyung Song <dokyungs@...sei.ac.kr> Reported-by: Jisoo Jang <jisoo.jang@...sei.ac.kr> Reported-by: Minsuk Kang <linuxlovemin@...sei.ac.kr> Signed-off-by: Minsuk Kang <linuxlovemin@...sei.ac.kr> --- drivers/nfc/pn533/pn533.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c index d9f6367b9993..c6a611622668 100644 --- a/drivers/nfc/pn533/pn533.c +++ b/drivers/nfc/pn533/pn533.c @@ -1295,6 +1295,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg, if (IS_ERR(resp)) return PTR_ERR(resp); + memset(&nfc_target, 0, sizeof(struct nfc_target)); + rsp = (struct pn533_cmd_jump_dep_response *)resp->data; rc = rsp->status & PN533_CMD_RET_MASK; -- 2.25.1
Powered by blists - more mailing lists