cve/published/2024/CVE-2024-46676.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46676: nfc: pn533: Add poll mod list filling check

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nfc: pn533: Add poll mod list filling check

 In case of im_protocols value is 1 and tm_protocols value is 0 this
 combination successfully passes the check
 'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().
 But then after pn533_poll_create_mod_list() call in pn533_start_poll()
 poll mod list will remain empty and dev->poll_mod_count will remain 0
 which lead to division by zero.

 Normally no im protocol has value 1 in the mask, so this combination is
 not expected by driver. But these protocol values actually come from
 userspace via Netlink interface (NFC_CMD_START_POLL operation). So a
 broken or malicious program may pass a message containing a "bad"
 combination of protocol parameter values so that dev->poll_mod_count
 is not incremented inside pn533_poll_create_mod_list(), thus leading
 to division by zero.
 Call trace looks like:
 nfc_genl_start_poll()
   nfc_start_poll()
     ->start_poll()
     pn533_start_poll()

 Add poll mod list filling check.

 Found by Linux Verification Center (linuxtesting.org) with SVACE.

 The Linux kernel CVE team has assigned CVE-2024-46676 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 5.4.283 with commit c5e05237444f32f6cfe5d907603a232c77a08b31
 	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 5.10.225 with commit 8ddaea033de051ed61b39f6b69ad54a411172b33
 	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 5.15.166 with commit 7535db0624a2dede374c42040808ad9a9101d723
 	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 6.1.108 with commit 7ecd3dd4f8eecd3309432156ccfe24768e009ec4
 	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 6.6.49 with commit 56ad559cf6d87f250a8d203b555dfc3716afa946
 	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 6.10.8 with commit 64513d0e546a1f19e390f7e5eba3872bfcbdacf5
 	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 6.11 with commit febccb39255f9df35527b88c953b2e0deae50e53

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46676
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/nfc/pn533/pn533.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c5e05237444f32f6cfe5d907603a232c77a08b31
 	https://git.kernel.org/stable/c/8ddaea033de051ed61b39f6b69ad54a411172b33
 	https://git.kernel.org/stable/c/7535db0624a2dede374c42040808ad9a9101d723
 	https://git.kernel.org/stable/c/7ecd3dd4f8eecd3309432156ccfe24768e009ec4
 	https://git.kernel.org/stable/c/56ad559cf6d87f250a8d203b555dfc3716afa946
 	https://git.kernel.org/stable/c/64513d0e546a1f19e390f7e5eba3872bfcbdacf5
 	https://git.kernel.org/stable/c/febccb39255f9df35527b88c953b2e0deae50e53
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46676: nfc: pn533: Add poll mod list filling check

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nfc: pn533: Add poll mod list filling check

	In case of im_protocols value is 1 and tm_protocols value is 0 this
	combination successfully passes the check
	'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().
	But then after pn533_poll_create_mod_list() call in pn533_start_poll()
	poll mod list will remain empty and dev->poll_mod_count will remain 0
	which lead to division by zero.

	Normally no im protocol has value 1 in the mask, so this combination is
	not expected by driver. But these protocol values actually come from
	userspace via Netlink interface (NFC_CMD_START_POLL operation). So a
	broken or malicious program may pass a message containing a "bad"
	combination of protocol parameter values so that dev->poll_mod_count
	is not incremented inside pn533_poll_create_mod_list(), thus leading
	to division by zero.
	Call trace looks like:
	nfc_genl_start_poll()
	nfc_start_poll()
	->start_poll()
	pn533_start_poll()

	Add poll mod list filling check.

	Found by Linux Verification Center (linuxtesting.org) with SVACE.

	The Linux kernel CVE team has assigned CVE-2024-46676 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 5.4.283 with commit c5e05237444f32f6cfe5d907603a232c77a08b31
	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 5.10.225 with commit 8ddaea033de051ed61b39f6b69ad54a411172b33
	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 5.15.166 with commit 7535db0624a2dede374c42040808ad9a9101d723
	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 6.1.108 with commit 7ecd3dd4f8eecd3309432156ccfe24768e009ec4
	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 6.6.49 with commit 56ad559cf6d87f250a8d203b555dfc3716afa946
	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 6.10.8 with commit 64513d0e546a1f19e390f7e5eba3872bfcbdacf5
	Issue introduced in 3.12 with commit dfccd0f580445d176acea174175b3e6518cc91f7 and fixed in 6.11 with commit febccb39255f9df35527b88c953b2e0deae50e53

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46676
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/nfc/pn533/pn533.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c5e05237444f32f6cfe5d907603a232c77a08b31
	https://git.kernel.org/stable/c/8ddaea033de051ed61b39f6b69ad54a411172b33
	https://git.kernel.org/stable/c/7535db0624a2dede374c42040808ad9a9101d723
	https://git.kernel.org/stable/c/7ecd3dd4f8eecd3309432156ccfe24768e009ec4
	https://git.kernel.org/stable/c/56ad559cf6d87f250a8d203b555dfc3716afa946
	https://git.kernel.org/stable/c/64513d0e546a1f19e390f7e5eba3872bfcbdacf5
	https://git.kernel.org/stable/c/febccb39255f9df35527b88c953b2e0deae50e53