oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux kernel: nfc: null ptr dereference in llcp_sock_getname

From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Sun, 6 Jun 2021 23:40:24 +0800
Hi, the patch for this issue in upstream:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4ac06a1e013cf5fdd963317ffd3b968560f33bba

Regards,
 butt3rflyh4ck.


On Tue, Jun 1, 2021 at 3:37 PM butt3rflyh4ck <butterflyhuangxx () gmail com> wrote:


 Hi, there was a null pointer dereference in llcp_sock_getname in
net/nfc/llcp_sock.c and reproduced it in linux-5.13.0-rc2. An
unprivileged user can trigger this bug and cause denial of service.

#Root Cause
After creating an nfc socket, bind the address by calling bind(), if
LLCP_SAP_MAX was used as SAP, it cause the bind() failed and there
would set llcp_sock->service_name  as NULL.

Although bind() returns an error here, it does not affect calling
other socket functions. sock_getname() would invoke
llcp_sock_getname(), llcp_sock_getname copied service  name from
llcp_sock->service_name by memcpy but llcp_sock->service_name is NULL.

#Fix
the patch for this issue:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=4ac06a1e013c

#CVE
CVE not assigned.

#Credits
Active Defense Lab of Venustech.



Regards,
   butt3rflyh4ck.

--
Active Defense Lab of Venustech




-- 
Active Defense Lab of Venustech
Previous By Date Next
Previous By Thread Next

Current thread: