| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <13e55ef1-24fd-6b78-8b67-792c7452fe79@linaro.org>
Date: Wed, 14 Dec 2022 14:14:09 +0100
From: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
To: Minsuk Kang <linuxlovemin@...sei.ac.kr>, netdev@...r.kernel.org
Cc: linma@....edu.cn, davem@...emloft.net, sameo@...ux.intel.com,
linville@...driver.com, dokyungs@...sei.ac.kr,
jisoo.jang@...sei.ac.kr
Subject: Re: [PATCH net v3] nfc: pn533: Clear nfc_target before being used
On 14/12/2022 02:51, Minsuk Kang wrote:
> Fix a slab-out-of-bounds read that occurs in nla_put() called from
> nfc_genl_send_target() when target->sensb_res_len, which is duplicated
> from an nfc_target in pn533, is too large as the nfc_target is not
> properly initialized and retains garbage values. Clear nfc_targets with
> memset() before they are used.
>
> Found by a modified version of syzkaller.
>
> BUG: KASAN: slab-out-of-bounds in nla_put
> Call Trace:
> memcpy
> nla_put
> nfc_genl_dump_targets
> genl_lock_dumpit
> netlink_dump
> __netlink_dump_start
> genl_family_rcv_msg_dumpit
> genl_rcv_msg
> netlink_rcv_skb
> genl_rcv
> netlink_unicast
> netlink_sendmsg
> sock_sendmsg
> ____sys_sendmsg
> ___sys_sendmsg
> __sys_sendmsg
> do_syscall_64
>
> Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
> Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
> Signed-off-by: Minsuk Kang <linuxlovemin@...sei.ac.kr>
> ---
> v2->v3:
> Remove an inappropriate tag
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
Best regards,
Krzysztof
Powered by blists - more mailing lists