1 From 65c397316e6d07a1195c4de3d74407006ab99cbe Mon Sep 17 00:00:00 2001
2 From: Sasha Levin <sashal@kernel.org>
3 Date: Wed, 20 Mar 2024 09:54:10 +0900
4 Subject: nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
6 From: Ryosuke Yasuoka <ryasuoka@redhat.com>
8 [ Upstream commit d24b03535e5eb82e025219c2f632b485409c898f ]
10 syzbot reported the following uninit-value access issue [1][2]:
12 nci_rx_work() parses and processes received packet. When the payload
13 length is zero, each message type handler reads uninitialized payload
14 and KMSAN detects this issue. The receipt of a packet with a zero-size
15 payload is considered unexpected, and therefore, such packets should be
18 This patch resolved this issue by checking payload size before calling
19 each message type handler codes.
21 Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
22 Reported-and-tested-by: syzbot+7ea9413ea6749baf5574@syzkaller.appspotmail.com
23 Reported-and-tested-by: syzbot+29b5ca705d2e0f4a44d2@syzkaller.appspotmail.com
24 Closes: https://syzkaller.appspot.com/bug?extid=7ea9413ea6749baf5574 [1]
25 Closes: https://syzkaller.appspot.com/bug?extid=29b5ca705d2e0f4a44d2 [2]
26 Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
27 Reviewed-by: Jeremy Cline <jeremy@jcline.org>
28 Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
29 Signed-off-by: David S. Miller <davem@davemloft.net>
30 Signed-off-by: Sasha Levin <sashal@kernel.org>
32 net/nfc/nci/core.c | 5 +++++
33 1 file changed, 5 insertions(+)
35 diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
36 index b5071a2f597d4..f76a2d8060340 100644
37 --- a/net/nfc/nci/core.c
38 +++ b/net/nfc/nci/core.c
39 @@ -1512,6 +1512,11 @@ static void nci_rx_work(struct work_struct *work)
40 nfc_send_to_raw_sock(ndev->nfc_dev, skb,
41 RAW_PAYLOAD_NCI, NFC_DIRECTION_RX);
43 + if (!nci_plen(skb->data)) {
49 switch (nci_mt(skb->data)) {
projects / thirdparty / kernel / stable-queue.git / blob