This is a note to let you know that I've just added the patch titled
nfc: nci: fix the UAF of rf_conn_info object
to the 5.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch
and it can be found in the queue-5.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 Mon Sep 17 00:00:00 2001
From: Lin Ma <linma@xxxxxxxxxx>
Date: Thu, 7 Oct 2021 19:44:30 +0200
Subject: nfc: nci: fix the UAF of rf_conn_info object
From: Lin Ma <linma@xxxxxxxxxx>
commit 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 upstream.
The nci_core_conn_close_rsp_packet() function will release the conn_info
with given conn_id. However, it needs to set the rf_conn_info to NULL to
prevent other routines like nci_rf_intf_activated_ntf_packet() to trigger
the UAF.
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxxxxx>
Signed-off-by: Lin Ma <linma@xxxxxxxxxx>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/nfc/nci/rsp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/nfc/nci/rsp.c
+++ b/net/nfc/nci/rsp.c
@@ -330,6 +330,8 @@ static void nci_core_conn_close_rsp_pack
ndev->cur_conn_id);
if (conn_info) {
list_del(&conn_info->list);
+ if (conn_info == ndev->rf_conn_info)
+ ndev->rf_conn_info = NULL;
devm_kfree(&ndev->nfc_dev->dev, conn_info);
}
}
Patches currently in stable-queue which might be from linma@xxxxxxxxxx are
queue-5.14/nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch
