Re: [PATCH net v2] nfc: nci: fix uninit-value in nci_core_init_rsp_packet()

[Simon Horman]

On Wed, Jun 24, 2026 at 11:44:55PM +0100, Samuel Page wrote:
> The CORE_INIT_RSP handlers walk the response using length fields taken
> from the packet itself, without checking they stay within skb->len:
> 
>  - v1 computes
> 	rsp_2 = skb->data + 6 + rsp_1->num_supported_rf_interfaces;
>    from the on-wire (unclamped) interface count and then dereferences
>    rsp_2, and memcpy()s the advertised interfaces - both can run past the
>    received data;
>  - v2 walks supported_rf_interfaces[], advancing the cursor by an
>    in-packet rf_extension_cnt with no bound.
> 
> A short CORE_INIT_RSP therefore makes the parser read past the packet
> (into the uninitialised tail of the RX skb); the values are stored into
> struct nci_dev and consumed while bringing the device up:
> 
>   BUG: KMSAN: uninit-value in nci_dev_up+0x10f3/0x1720
>    nci_dev_up+0x10f3/0x1720
>    nfc_dev_up+0x187/0x380
>    nfc_genl_dev_up+0xdc/0x1a0
>    genl_rcv_msg+0x5d4/0x9e0
>    netlink_rcv_skb+0x28f/0x530
>   Uninit was stored to memory at:
>    nci_rsp_packet+0x68f/0x2310
>    nci_rx_work+0x25f/0x5d0
>   Uninit was created at:
>    __alloc_skb+0x540/0xd40
>    virtual_ncidev_write+0x65/0x210
> 
> Validate the response length before parsing or storing the
> variable-length parts, rejecting truncated responses with
> NCI_STATUS_SYNTAX_ERROR.  In v1 the check is done before
> num_supported_rf_interfaces is stored into ndev, so a truncated response
> cannot leave ndev->num_supported_rf_interfaces holding the unclamped
> on-wire count, which nci_init_complete_req() would otherwise use as a
> bound for the fixed-size supported_rf_interfaces[] array.
> 
> Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
> Fixes: bcd684aace34 ("net/nfc/nci: Support NCI 2.x initial sequence")
> Cc: stable@xxxxxxxxxxxxxxx
> Tested-by: syzbot@xxxxxxxxxxxxxxxxxxxxxxxxx
> Assisted-by: Bynario AI
> Signed-off-by: Samuel Page <sam@xxxxxxxx>
> ---
> v2: validate the response length before storing num_supported_rf_interfaces
>     into @ndev.  In v1 the unclamped on-wire count was stored first and the
>     length check returned early on a truncated response, leaving
>     ndev->num_supported_rf_interfaces > NCI_MAX_SUPPORTED_RF_INTERFACES; a
>     subsequent CORE_INIT completion then walked it in nci_init_complete_req(),
>     which the syzbot CI run on v1 flagged as a UBSAN array-index-out-of-bounds.
>     https://ci.syzbot.org/series/2a9a8657-37a3-4dce-8cb5-2035027791dd
>     v1: https://lore.kernel.org/all/20260623222402.175798-1-sam@xxxxxxxx

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>