Linux Kernel NFC-A Cascade Depth Vulnerability in SDD Response Handler

A vulnerability in the Linux kernel's NFC subsystem allows a malicious peer device to exploit the NFC-A anti-collision cascade mechanism. The issue arises in the SDD response handler, where the number of cascade rounds is determined by the peer, potentially leading to a buffer overflow. Although ISO 14443-3 limits NFC-A to three cascade levels, this restriction is not enforced in the driver. As a result, a peer can manipulate the cascade process, causing it to write beyond the allocated heap memory for the NFC target.

Impact

Exploitation of this vulnerability can lead to a heap-based buffer overflow, allowing for potential arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by initiating an NFC-A communication where the peer device deliberately extends the anti-collision cascade beyond the allowed three levels. This can be done by manipulating the cascade tag in the SDD_RES response and the cascade-incomplete bit in the SEL_RES, causing the target device to overwrite memory past the bounds of the allocated NFC ID buffer.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is available in the Linux kernel stable tree.