Skip to content

Commit 58bdd54

Browse files
YueHaibingdavem330
YueHaibing
authored and
davem330
committed
net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
KASAN report this: BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc] Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401 CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ hardkernel#45 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xfa/0x1ce lib/dump_stack.c:113 kasan_report+0x171/0x18d mm/kasan/report.c:321 memcpy+0x1f/0x50 mm/kasan/common.c:130 nfc_llcp_build_gb+0x37f/0x540 [nfc] nfc_llcp_register_device+0x6eb/0xb50 [nfc] nfc_register_device+0x50/0x1d0 [nfc] nfcsim_device_new+0x394/0x67d [nfcsim] ? 0xffffffffc1080000 nfcsim_init+0x6b/0x1000 [nfcsim] do_one_initcall+0xfa/0x5ca init/main.c:887 do_init_module+0x204/0x5f6 kernel/module.c:3460 load_module+0x66b2/0x8570 kernel/module.c:3808 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x462e99 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 nfc_llcp_build_tlv will return NULL on fails, caller should check it, otherwise will trigger a NULL dereference. Reported-by: Hulk Robot <hulkci@huawei.com> Fixes: eda21f1 ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames") Fixes: d646960 ("NFC: Initial LLCP support") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 232ba3a commit 58bdd54

2 files changed

Lines changed: 40 additions & 4 deletions

File tree

net/nfc/llcp_commands.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -419,6 +419,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
419419
sock->service_name,
420420
sock->service_name_len,
421421
&service_name_tlv_length);
422+
if (!service_name_tlv) {
423+
err = -ENOMEM;
424+
goto error_tlv;
425+
}
422426
size += service_name_tlv_length;
423427
}
424428

@@ -429,9 +433,17 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
429433

430434
miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
431435
&miux_tlv_length);
436+
if (!miux_tlv) {
437+
err = -ENOMEM;
438+
goto error_tlv;
439+
}
432440
size += miux_tlv_length;
433441

434442
rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
443+
if (!rw_tlv) {
444+
err = -ENOMEM;
445+
goto error_tlv;
446+
}
435447
size += rw_tlv_length;
436448

437449
pr_debug("SKB size %d SN length %zu\n", size, sock->service_name_len);
@@ -484,9 +496,17 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
484496

485497
miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
486498
&miux_tlv_length);
499+
if (!miux_tlv) {
500+
err = -ENOMEM;
501+
goto error_tlv;
502+
}
487503
size += miux_tlv_length;
488504

489505
rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
506+
if (!rw_tlv) {
507+
err = -ENOMEM;
508+
goto error_tlv;
509+
}
490510
size += rw_tlv_length;
491511

492512
skb = llcp_allocate_pdu(sock, LLCP_PDU_CC, size);

net/nfc/llcp_core.c

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -532,28 +532,44 @@ static u8 nfc_llcp_reserve_sdp_ssap(struct nfc_llcp_local *local)
532532

533533
static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
534534
{
535-
u8 *gb_cur, *version_tlv, version, version_length;
536-
u8 *lto_tlv, lto_length;
537-
u8 *wks_tlv, wks_length;
538-
u8 *miux_tlv, miux_length;
535+
u8 *gb_cur, version, version_length;
536+
u8 lto_length, wks_length, miux_length;
537+
u8 *version_tlv = NULL, *lto_tlv = NULL,
538+
*wks_tlv = NULL, *miux_tlv = NULL;
539539
__be16 wks = cpu_to_be16(local->local_wks);
540540
u8 gb_len = 0;
541541
int ret = 0;
542542

543543
version = LLCP_VERSION_11;
544544
version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
545545
1, &version_length);
546+
if (!version_tlv) {
547+
ret = -ENOMEM;
548+
goto out;
549+
}
546550
gb_len += version_length;
547551

548552
lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, &lto_length);
553+
if (!lto_tlv) {
554+
ret = -ENOMEM;
555+
goto out;
556+
}
549557
gb_len += lto_length;
550558

551559
pr_debug("Local wks 0x%lx\n", local->local_wks);
552560
wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length);
561+
if (!wks_tlv) {
562+
ret = -ENOMEM;
563+
goto out;
564+
}
553565
gb_len += wks_length;
554566

555567
miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
556568
&miux_length);
569+
if (!miux_tlv) {
570+
ret = -ENOMEM;
571+
goto out;
572+
}
557573
gb_len += miux_length;
558574

559575
gb_len += ARRAY_SIZE(llcp_magic);

0 commit comments

Comments
 (0)