diff options
| author | Minsuk Kang <[email protected]> | 2022-12-14 10:51:39 +0900 |
|---|---|---|
| committer | Jakub Kicinski <[email protected]> | 2022-12-14 20:51:29 -0800 |
| commit | 9f28157778ede0d4f183f7ab3b46995bb400abbe (patch) | |
| tree | b6ab21449064efde50e02fa5e0b700cc2a580377 /tools/perf/scripts/python/stat-cpi.py | |
| parent | 628050ec952d2e2e46ec9fb6aa07e41139e030c8 (diff) | |
nfc: pn533: Clear nfc_target before being used
Fix a slab-out-of-bounds read that occurs in nla_put() called from
nfc_genl_send_target() when target->sensb_res_len, which is duplicated
from an nfc_target in pn533, is too large as the nfc_target is not
properly initialized and retains garbage values. Clear nfc_targets with
memset() before they are used.
Found by a modified version of syzkaller.
BUG: KASAN: slab-out-of-bounds in nla_put
Call Trace:
memcpy
nla_put
nfc_genl_dump_targets
genl_lock_dumpit
netlink_dump
__netlink_dump_start
genl_family_rcv_msg_dumpit
genl_rcv_msg
netlink_rcv_skb
genl_rcv
netlink_unicast
netlink_sendmsg
sock_sendmsg
____sys_sendmsg
___sys_sendmsg
__sys_sendmsg
do_syscall_64
Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
Signed-off-by: Minsuk Kang <[email protected]>
Reviewed-by: Krzysztof Kozlowski <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/stat-cpi.py')
0 files changed, 0 insertions, 0 deletions