Linux Kernel NFC PN533 Slab-Out-Of-Bounds Read Vulnerability

A slab-out-of-bounds read vulnerability has been identified in the Linux kernel's NFC PN533 driver. This issue arises in the 'nla_put()' function, called by 'nfc_genl_send_target()', when the 'sensb_res_len' of an NFC target is excessively large. The vulnerability occurs because the NFC target is not properly initialized, leaving it with garbage values. The problem can be exploited when the 'sensb_res_len' is duplicated from an improperly initialized NFC target, leading to a read beyond the allocated memory. The vulnerability was discovered using a modified version of Syzkaller, a fuzzing tool.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds read, which can potentially be leveraged to read sensitive information from memory or cause other memory corruption issues.

Reproduction

The vulnerability can be reproduced by sending a netlink message that triggers the 'nfc_genl_send_target()' function without a properly initialized NFC target. This can be done by manipulating the 'sensb_res_len' to an excessive value, causing the function to read beyond the allocated memory for the NFC target.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.