CVE-2023-52919: Linux Kernel NFC NCI Fix for Possible NULL Pointer Dereference in send_acknowledge()
In the Linux kernel, a vulnerability has been resolved related to the NFC (Near Field Communication) NCI (NFC Controller Interface) subsystem. An issue was discovered that could lead to a possible NULL pointer dereference in the send_acknowledge() function, causing the system to crash or become unresponsive. This vulnerability has been assigned CVE-2023-52919.
The vulnerability was addressed by properly handling memory allocation failures arising from nci_skb_alloc() (which calls alloc_skb()), thus avoiding the NULL pointer dereference issue. Let's dive into the details of the problem and the solution.
Vulnerability Details
The vulnerability lies in the Linux kernel's support for the NFC NCI subsystem. Specifically, it can be found in the send_acknowledge() function, which is responsible for sending an ACK (acknowledgment) message when an NCI communication has been completed successfully.
The issue was discovered when a memory allocation failure from the nci_skb_alloc() function (which calls alloc_skb()) was not being handled properly. This failure could lead to a NULL pointer dereference, causing a system crash or making the system unresponsive.
Exploit
An attacker could potentially exploit this vulnerability if they were close enough to an affected system with NFC enabled. Although this exploit would be challenging to execute, it could potentially result in unauthorized access, crashed systems, or processing delays.
Code Snippet (Before the Fix)
Below is a snippet of the vulnerable code (before the patch was applied) from the send_acknowledge() function:
static void send_acknowledge(struct nci_dev *ndev)
{
struct sk_buff *skb = nci_skb_alloc(ndev, , );
nci_add_cmd_hdr(skb, NCI_OP_CORE_CONN_CPLT_NTF, );
nci_send_frame(ndev, skb);
}
The issue lies in the nci_skb_alloc() function call (and alloc_skb() by extension), which is not being checked for memory allocation failure, leading to the possibility of a NULL pointer dereference.
Code Snippet (After the Fix)
Here's the patched version of the code, which includes proper handling of the memory allocation failure:
static void send_acknowledge(struct nci_dev *ndev)
{
struct sk_buff *skb = nci_skb_alloc(ndev, , );
if (!skb) {
nci_err(ndev, "Failed to allocate skb\n");
return;
}
nci_add_cmd_hdr(skb, NCI_OP_CORE_CONN_CPLT_NTF, );
nci_send_frame(ndev, skb);
}
As you can see in the patched code, the memory allocation failure is now being checked with an if (!skb) condition, and an error message is printed to notify the user of the failed allocation. Subsequently, the function returns, preventing the NULL pointer dereference issue.
Original References
- Vulnerability details can be found in the Linux kernel source code repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
- The specific patch that addresses the vulnerability: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=
Conclusion
The CVE-2023-52919 vulnerability in the Linux kernel NFC NCI subsystem has been addressed by properly handling memory allocation failures arising from nci_skb_alloc() and alloc_skb(). As a result, the potential NULL pointer dereference issue has been avoided, and affected systems are now protected from crashes or unresponsiveness arising from this vulnerability.
It is recommended that users and administrators of Linux systems running the affected kernel versions upgrade to the latest version, which incorporates this fix, to ensure their systems remain protected against this potential vulnerability.
Timeline
Published on: 10/22/2024 08:15:02 UTC
Last modified on: 10/24/2024 03:53:16 UTC