A vulnerability (CVE-2024-35915) was recently discovered and resolved in the Linux kernel's Near Field Communication (NFC) Network Controller Interface (NCI) module. The issue was reported by syzbot [1], which identified an uninitialized value access error. This article will provide an in-depth look at the problem and the fixes applied to address it.
The Vulnerability
The vulnerability in question lies within the nci_rx_work function, which processes received packets. When the payload length of a packet is zero, each message type handler ends up reading an uninitialized payload, which is detected as an issue by KernelMemorySanitizer (KMSAN) [2]. In the context of the NFC NCI module, a packet with a zero-size payload is considered unexpected and should be silently discarded.
The Fix
To resolve this vulnerability, a patch was applied to the NFC NCI kernel code. The patch ensures that the payload size is checked before calling each message type handler. This code snippet shows the relevant changes:
+++ b/net/nfc/nci/core.c
@@ -167,6 +167,12 @@ static void nci_rx_work(struct work_struct *work)
goto exit;
}
+ /* Silently discard packets with zero-size payload */
+ if (len == ) {
+ pr_err("Received packet with zero-size payload\n");
+ goto exit;
+ }
+
switch (hdr->mt) {
case NCI_MT_DATA:
Now, if a packet with a zero-size payload is encountered, an error message is printed, and the packet is silently discarded before calling the message type handler functions.
Exploit Details
An attacker could potentially exploit this vulnerability by sending specially crafted packets to the NFC NCI module, resulting in uninitialized values being accessed by the message type handlers. This could lead to undefined behavior or potentially leakage of sensitive information. However, this vulnerability is considered low-risk, as exploiting it would require physical proximity to the target device, and the impact is limited to the NFC NCI module.
Original References
- [1] syzbot report on Linux Kernel Mailing List
- [2] KMSAN report
Conclusion
CVE-2024-35915 is a noteworthy vulnerability within the Linux kernel's NFC NCI module. The issue was discovered by syzbot and reported to the kernel development community. The vulnerability has been fixed in a recent patch, which checks the payload size before calling the message type handlers. It is essential for users to keep their kernels up to date to ensure that they have the latest security fixes, including those for vulnerabilities such as CVE-2024-35915.
Timeline
Published on: 05/19/2024 09:15:11 UTC
Last modified on: 12/19/2024 08:58:11 UTC