lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d73ccfcf-507c-4c22-beeb-efc24f671626@0x83.eu>
Date: Sat, 7 Feb 2026 01:25:29 +0100
From: "Lukas K." <kernel@...3.eu>
To: Thorsten Leemhuis <regressions@...mhuis.info>, "Lukas K."
 <kernel@...3.eu>, linux-kernel@...r.kernel.org, krzk@...nel.org
Cc: regressions@...ts.linux.dev, netdev@...r.kernel.org,
 Michael Thalmeier <michael.thalmeier@...e.at>
Subject: Re: [REGRESSION] NFC broken on Thinkpad T14 Gen since 9c328f5

On 06.02.26 17:24, Thorsten Leemhuis wrote:
> On 2/6/26 16:15, Lukas K. wrote:
>>
>> from 6.17.2 to 6.17.3, the integrated NFC reader (driver: nxp-nci_i2c)
>> in the Thinkpad T14 Gen 4 (AMD) stopped detecting tags. This can be
>> tested by running
>>
>> sudo nfctool -1 -p -d nfc0
>>
>> Looking at the commits between 6.17.2 and 6.17.3, 9c328f5 (net: nfc:
>> nci: Add parameter validation for packet data) was the only one related
>> to NFC.
>>
>> To see if that commit indeed was the culprit, I reverted it on 6.18.7
>> and nfctool is detecting tags again.
>>
>> Since the offending commit merely adds some bounds checks, the root
>> cause may very well be in another driver in the NFC stack.
> 
> Thx for the report. Seems Michael (now CCed) also ran into problems and
> tried to fix them, but looks like that effort stalled; but might be good
> to know if this fixes your problem, too:
> 
> https://lore.kernel.org/all/20260112124819.171028-1-michael.thalmeier@hale.at/

Hi Thorsten,

thanks for the pointer. Tried the patch you linked to and it works for me.

Don't know how to reply to the linked mail as I'm new to LKML, but one 
thing caught my eye:

 > static const __u8 *
 > nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
 >                                        struct 
rf_tech_specific_params_nfca_poll *nfca_poll,
 >-                                       const __u8 *data)
 >+                                       const __u8 *data, size_t data_len)
 > {
 >+       /* Check if we have enough data for sens_res (2 bytes) */
 >+       if (data_len < 2)
 >+               return ERR_PTR(-EINVAL);
 >+
 >        nfca_poll->sens_res = __le16_to_cpu(*((__le16 *)data));
 >        data += 2;
 >+       data_len -= 2;
 >+
 >+       /* Check if we have enough data for nfcid1_len (1 byte) */
 >+       if (data_len < 1)
 >+               return ERR_PTR(-EINVAL);

If data_len underflows at any point it'll wrap to some large value and 
the less than comparisons will yield an incorrect result. Using ssize_t 
should fix that.

Best Regards,

Lukas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ