projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5b6ce31)
nfc: nci: fix the UAF of rf_conn_info object
authorLin Ma <linma@zju.edu.cn>
Thu, 7 Oct 2021 17:44:30 +0000 (19:44 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 27 Oct 2021 07:34:00 +0000 (09:34 +0200)
commit 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 upstream.

The nci_core_conn_close_rsp_packet() function will release the conn_info
with given conn_id. However, it needs to set the rf_conn_info to NULL to
prevent other routines like nci_rf_intf_activated_ntf_packet() to trigger
the UAF.

Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/nfc/nci/rsp.c patch | blob | blame | history

diff --git a/net/nfc/nci/rsp.c b/net/nfc/nci/rsp.c
index e3bbf1937d0e96e0af5e4df215f89548fb2b5686..7681f89dc312b6c5534d612e2922c11e243524a0 100644 (file)
--- a/net/nfc/nci/rsp.c
+++ b/net/nfc/nci/rsp.c
@@ -289,6 +289,8 @@ static void nci_core_conn_close_rsp_packet(struct nci_dev *ndev,
                                                         ndev->cur_conn_id);
                if (conn_info) {
                        list_del(&conn_info->list);
+                       if (conn_info == ndev->rf_conn_info)
+                               ndev->rf_conn_info = NULL;
                        devm_kfree(&ndev->nfc_dev->dev, conn_info);
                }
        }