Commit f64c63c0 authored Mar 12, 2024 by Jeremy Cline Committed by Liu Jian Mar 12, 2024

nfc: nci: assert requested protocol is valid

stable inclusion
from stable-v5.10.199
commit a424807d860ba816aaafc3064b46b456361c0802
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95B1K
CVE: CVE-2023-52507

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a424807d860ba816aaafc3064b46b456361c0802



---------------------------

[ Upstream commit 354a6e70 ]

The protocol is used in a bit mask to determine if the protocol is
supported. Assert the provided protocol is less than the maximum
defined so it doesn't potentially perform a shift-out-of-bounds and
provide a clearer error for undefined protocols vs unsupported ones.

Fixes: 6a2968aa ("NFC: basic NCI protocol implementation")
Reported-and-tested-by:  <syzbot+0839b78e119aae1fec78@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=0839b78e119aae1fec78


Signed-off-by: Jeremy Cline <jeremy@jcline.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20231009200054.82557-1-jeremy@jcline.org


Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Liu Jian <liujian56@huawei.com>

parent 2ad5d68f

net/nfc/nci/core.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -894,6 +894,11 @@ static int nci_activate_target(struct nfc_dev *nfc_dev,
		return -EINVAL;
		}

		if (protocol >= NFC_PROTO_MAX) {
		pr_err("the requested nfc protocol is invalid\n");
		return -EINVAL;
		}

		if (!(nci_target->supported_protocols & (1 << protocol))) {
		pr_err("target does not support the requested protocol 0x%x\n",
		protocol);