| ID |
CVE-2025-40043
|
| Sažetak |
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: nci: Add parameter validation for packet data
Syzbot reported an uninitialized value bug in nci_init_req, which was
introduced by commit 5aca7966d2a7 ("Merge tag
'perf-tools-fixes-for-v6.17-2025-09-16' of
git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").
This bug arises due to very limited and poor input validation
that was done at nic_valid_size(). This validation only
validates the skb->len (directly reflects size provided at the
userspace interface) with the length provided in the buffer
itself (interpreted as NCI_HEADER). This leads to the processing
of memory content at the address assuming the correct layout
per what opcode requires there. This leads to the accesses to
buffer of `skb_buff->data` which is not assigned anything yet.
Following the same silent drop of packets of invalid sizes at
`nic_valid_size()`, add validation of the data in the respective
handlers and return error values in case of failure. Release
the skb if error values are returned from handlers in
`nci_nft_packet` and effectively do a silent drop
Possible TODO: because we silently drop the packets, the
call to `nci_request` will be waiting for completion of request
and will face timeouts. These timeouts can get excessively logged
in the dmesg. A proper handling of them may require to export
`nci_request_cancel` (or propagate error handling from the
nft packets handlers). |
| Reference |
|
| CVSS |
| Base: | 0.0 |
| Impact: | None |
| Exploitability: | None |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| None |
None |
None |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| None |
None |
None |
|
| CVSS vektor |
None |
| Zadnje važnije ažuriranje |
28-10-2025 - 12:15 |
| Objavljeno |
28-10-2025 - 12:15 |
