Linux Kernel NFC S3FWRN5 Driver Receive Buffer Vulnerability

A vulnerability in the Linux kernel's NFC S3FWRN5 driver can lead to improper handling of received data over a UART interface. The issue arises because the driver consumes bytes into a receive buffer before allocating a new one. If the allocation fails, the driver returns a count of bytes received while leaving the buffer empty for the next callback, potentially causing a NULL dereference. This vulnerability affects several versions of the Linux kernel.

Impact

This vulnerability can disrupt the accounting of received bytes, leading to a NULL dereference when the driver attempts to process the received data. Such a dereference can cause a crash or instability in the system.

Reproduction

The vulnerability can be reproduced by using the NFC S3FWRN5 driver with a UART interface. When data is received, the driver will consume the bytes into a receive buffer. If the buffer allocation fails, the driver will return a count of bytes received but leave the buffer empty for the next receive callback. This sequence can be repeated, leading to a NULL dereference when the driver tries to process the data.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.