CVE-2024-35915: Fixing Uninitialized Value Issue in Linux Kernel's NFC NCI Module

A vulnerability (CVE-2024-35915) was recently discovered and resolved in the Linux kernel's Near Field Communication (NFC) Network Controller Interface (NCI) module. The issue was reported by syzbot [1], which identified an uninitialized value access error. This article will provide an in-depth look at the problem and the fixes applied to address it.

The Vulnerability

The vulnerability in question lies within the nci_rx_work function, which processes received packets. When the payload length of a packet is zero, each message type handler ends up reading an uninitialized payload, which is detected as an issue by KernelMemorySanitizer (KMSAN) [2]. In the context of the NFC NCI module, a packet with a zero-size payload is considered unexpected and should be silently discarded.

The Fix

To resolve this vulnerability, a patch was applied to the NFC NCI kernel code. The patch ensures that the payload size is checked before calling each message type handler. This code snippet shows the relevant changes:

  +++ b/net/nfc/nci/core.c
  @@ -167,6 +167,12 @@ static void nci_rx_work(struct work_struct *work)
                       goto exit;
               }

  +            /* Silently discard packets with zero-size payload */
  +            if (len == ) {
  +                    pr_err("Received packet with zero-size payload\n");
  +                    goto exit;
  +            }
  +
               switch (hdr->mt) {
               case NCI_MT_DATA:

Now, if a packet with a zero-size payload is encountered, an error message is printed, and the packet is silently discarded before calling the message type handler functions.

Exploit Details

An attacker could potentially exploit this vulnerability by sending specially crafted packets to the NFC NCI module, resulting in uninitialized values being accessed by the message type handlers. This could lead to undefined behavior or potentially leakage of sensitive information. However, this vulnerability is considered low-risk, as exploiting it would require physical proximity to the target device, and the impact is limited to the NFC NCI module.

Original References

- [1] syzbot report on Linux Kernel Mailing List
- [2] KMSAN report

Conclusion

CVE-2024-35915 is a noteworthy vulnerability within the Linux kernel's NFC NCI module. The issue was discovered by syzbot and reported to the kernel development community. The vulnerability has been fixed in a recent patch, which checks the payload size before calling the message type handlers. It is essential for users to keep their kernels up to date to ensure that they have the latest security fixes, including those for vulnerabilities such as CVE-2024-35915.

Timeline

Published on: 05/19/2024 09:15:11 UTC
Last modified on: 06/27/2024 12:15:26 UTC