cve/published/2024/CVE-2024-35915.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35915: nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet

 syzbot reported the following uninit-value access issue [1][2]:

 nci_rx_work() parses and processes received packet. When the payload
 length is zero, each message type handler reads uninitialized payload
 and KMSAN detects this issue. The receipt of a packet with a zero-size
 payload is considered unexpected, and therefore, such packets should be
 silently discarded.

 This patch resolved this issue by checking payload size before calling
 each message type handler codes.

 The Linux kernel CVE team has assigned CVE-2024-35915 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 4.19.312 with commit 11387b2effbb55f58dc2111ef4b4b896f2756240
 	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 5.4.274 with commit 03fe259649a551d336a7f20919b641ea100e3fff
 	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 5.10.215 with commit 755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c
 	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 5.15.154 with commit ac68d9fa09e410fa3ed20fb721d56aa558695e16
 	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 6.1.85 with commit b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7
 	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 6.6.26 with commit a946ebee45b09294c8b0b0e77410b763c4d2817a
 	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 6.8.5 with commit 8948e30de81faee87eeee01ef42a1f6008f5a83a
 	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 6.9 with commit d24b03535e5eb82e025219c2f632b485409c898f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35915
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/nfc/nci/core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240
 	https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff
 	https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c
 	https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16
 	https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7
 	https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a
 	https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a
 	https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35915: nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet

	syzbot reported the following uninit-value access issue [1][2]:

	nci_rx_work() parses and processes received packet. When the payload
	length is zero, each message type handler reads uninitialized payload
	and KMSAN detects this issue. The receipt of a packet with a zero-size
	payload is considered unexpected, and therefore, such packets should be
	silently discarded.

	This patch resolved this issue by checking payload size before calling
	each message type handler codes.

	The Linux kernel CVE team has assigned CVE-2024-35915 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 4.19.312 with commit 11387b2effbb55f58dc2111ef4b4b896f2756240
	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 5.4.274 with commit 03fe259649a551d336a7f20919b641ea100e3fff
	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 5.10.215 with commit 755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c
	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 5.15.154 with commit ac68d9fa09e410fa3ed20fb721d56aa558695e16
	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 6.1.85 with commit b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7
	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 6.6.26 with commit a946ebee45b09294c8b0b0e77410b763c4d2817a
	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 6.8.5 with commit 8948e30de81faee87eeee01ef42a1f6008f5a83a
	Issue introduced in 3.2 with commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and fixed in 6.9 with commit d24b03535e5eb82e025219c2f632b485409c898f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35915
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/nfc/nci/core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240
	https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff
	https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c
	https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16
	https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7
	https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a
	https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a
	https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f