CVE-2023-53119

struct pn533outarg used as a temporary context for outurb is not initialized properly. Its uninitialized 'phy' field can be dereferenced in error cases inside pn533out_complete() callback function. It causes the following failure:

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc3-next-20230110-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 RIP: 0010:pn533outcomplete.cold+0x15/0x44 drivers/nfc/pn533/usb.c:441 Call Trace: <IRQ> _usbhcdgivebackurb+0x2b6/0x5c0 drivers/usb/core/hcd.c:1671 usbhcdgivebackurb+0x384/0x430 drivers/usb/core/hcd.c:1754 dummytimer+0x1203/0x32d0 drivers/usb/gadget/udc/dummyhcd.c:1988 calltimerfn+0x1da/0x800 kernel/time/timer.c:1700 expiretimers+0x234/0x330 kernel/time/timer.c:1751 _runtimers kernel/time/timer.c:2022 [inline] _runtimers kernel/time/timer.c:1995 [inline] runtimersoftirq+0x326/0x910 kernel/time/timer.c:2035 _dosoftirq+0x1fb/0xaf6 kernel/softirq.c:571 invokesoftirq kernel/softirq.c:445 [inline] _irqexitrcu+0x123/0x180 kernel/softirq.c:650 irqexitrcu+0x9/0x20 kernel/softirq.c:662 sysvecapictimer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107

Initialize the field with the pn533usbphy currently used.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

35529d6b827eedb6bf7e81130e4b7e0aba9e58d2

Fixed

2bd1ed6d607d7013ed4959e86990a04f028543ef

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

321db5131c92983dac4f3338e8fbb6df214238c0

Fixed

4c20a07ed26a71a8ccc9c6d935fc181573f5462e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9424d2205fe94a095fb9365ec0c6137f0b394a2b

Fixed

0f9c1f26d434c32520dfe33326b28c5954bc4299

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0ca78c99656f5c448567db1e148367aa3b01c80a

Fixed

2703da78849c47b6b5b4471edb35fc7b7f91dead

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

39ae73e581112cfe27ba50aecb1c891ce57cecb1

Fixed

2bee84369b76f6c9ef71938069c65a6ebd1a12f7

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8998db5021a28ad67aa8d627bdb4226e4046ccc4

Fixed

a97ef110c491b72c138111a595a3a3af56cbc94c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9dab880d675b9d0dd56c6428e4e8352a3339371d

Fixed

2cbd4213baf7be5d87d183e2032c54003de0790f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9dab880d675b9d0dd56c6428e4e8352a3339371d

Fixed

484b7059796e3bc1cb527caa61dfc60da649b4f6

Affected versions

v4.*

v4.14.303

v4.14.304

v4.14.305

v4.14.306

v4.14.307

v4.14.308

v4.14.309

v4.14.310

v4.19.270

v4.19.271

v4.19.272

v4.19.273

v4.19.274

v4.19.275

v4.19.276

v4.19.277

v4.19.278

v5.*

v5.10.164

v5.10.165

v5.10.166

v5.10.167

v5.10.168

v5.10.169

v5.10.170

v5.10.171

v5.10.172

v5.10.173

v5.10.174

v5.10.175

v5.15.100

v5.15.101

v5.15.102

v5.15.103

v5.15.89

v5.15.90

v5.15.91

v5.15.92

v5.15.93

v5.15.94

v5.15.95

v5.15.96

v5.15.97

v5.15.98

v5.15.99

v5.4.229

v5.4.230

v5.4.231

v5.4.232

v5.4.233

v5.4.234

v5.4.235

v5.4.236

v5.4.237

v6.*

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.20

v6.1.7

v6.1.8

v6.1.9

v6.2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.3-rc1

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-03a95295",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2bee84369b76f6c9ef71938069c65a6ebd1a12f7",
        "digest": {
            "line_hashes": [
                "31737506079171037350389078216120399222",
                "298789069214953547815569627237513085570",
                "208508381526423374641017127378767113688"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-045bf3ac",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4c20a07ed26a71a8ccc9c6d935fc181573f5462e",
        "digest": {
            "function_hash": "102079779582223984588863234796172651612",
            "length": 924.0
        },
        "signature_type": "Function",
        "target": {
            "function": "pn533_usb_send_frame",
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-0f96c387",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f9c1f26d434c32520dfe33326b28c5954bc4299",
        "digest": {
            "line_hashes": [
                "31737506079171037350389078216120399222",
                "298789069214953547815569627237513085570",
                "208508381526423374641017127378767113688"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-19207f37",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@484b7059796e3bc1cb527caa61dfc60da649b4f6",
        "digest": {
            "function_hash": "102079779582223984588863234796172651612",
            "length": 924.0
        },
        "signature_type": "Function",
        "target": {
            "function": "pn533_usb_send_frame",
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-26be1b32",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a97ef110c491b72c138111a595a3a3af56cbc94c",
        "digest": {
            "function_hash": "102079779582223984588863234796172651612",
            "length": 924.0
        },
        "signature_type": "Function",
        "target": {
            "function": "pn533_usb_send_frame",
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-29b40ea2",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2bd1ed6d607d7013ed4959e86990a04f028543ef",
        "digest": {
            "line_hashes": [
                "31737506079171037350389078216120399222",
                "298789069214953547815569627237513085570",
                "208508381526423374641017127378767113688"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-36345201",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@484b7059796e3bc1cb527caa61dfc60da649b4f6",
        "digest": {
            "line_hashes": [
                "31737506079171037350389078216120399222",
                "298789069214953547815569627237513085570",
                "208508381526423374641017127378767113688"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-4144ad84",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2bee84369b76f6c9ef71938069c65a6ebd1a12f7",
        "digest": {
            "function_hash": "102079779582223984588863234796172651612",
            "length": 924.0
        },
        "signature_type": "Function",
        "target": {
            "function": "pn533_usb_send_frame",
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-864c82ab",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2bd1ed6d607d7013ed4959e86990a04f028543ef",
        "digest": {
            "function_hash": "102079779582223984588863234796172651612",
            "length": 924.0
        },
        "signature_type": "Function",
        "target": {
            "function": "pn533_usb_send_frame",
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-951bdc87",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f9c1f26d434c32520dfe33326b28c5954bc4299",
        "digest": {
            "function_hash": "102079779582223984588863234796172651612",
            "length": 924.0
        },
        "signature_type": "Function",
        "target": {
            "function": "pn533_usb_send_frame",
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-aa9a2a84",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4c20a07ed26a71a8ccc9c6d935fc181573f5462e",
        "digest": {
            "line_hashes": [
                "31737506079171037350389078216120399222",
                "298789069214953547815569627237513085570",
                "208508381526423374641017127378767113688"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-b55864b0",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2703da78849c47b6b5b4471edb35fc7b7f91dead",
        "digest": {
            "line_hashes": [
                "31737506079171037350389078216120399222",
                "298789069214953547815569627237513085570",
                "208508381526423374641017127378767113688"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-b6823ad9",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2cbd4213baf7be5d87d183e2032c54003de0790f",
        "digest": {
            "function_hash": "102079779582223984588863234796172651612",
            "length": 924.0
        },
        "signature_type": "Function",
        "target": {
            "function": "pn533_usb_send_frame",
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-c54dd2d4",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2703da78849c47b6b5b4471edb35fc7b7f91dead",
        "digest": {
            "function_hash": "102079779582223984588863234796172651612",
            "length": 924.0
        },
        "signature_type": "Function",
        "target": {
            "function": "pn533_usb_send_frame",
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-c9ea1966",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2cbd4213baf7be5d87d183e2032c54003de0790f",
        "digest": {
            "line_hashes": [
                "31737506079171037350389078216120399222",
                "298789069214953547815569627237513085570",
                "208508381526423374641017127378767113688"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/nfc/pn533/usb.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53119-fec9988b",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a97ef110c491b72c138111a595a3a3af56cbc94c",
        "digest": {
            "line_hashes": [
                "31737506079171037350389078216120399222",
                "298789069214953547815569627237513085570",
                "208508381526423374641017127378767113688"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/nfc/pn533/usb.c"
        }
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.14.311

Type: ECOSYSTEM
Events: Introduced

4.15.0

Fixed

4.19.279

Type: ECOSYSTEM
Events: Introduced

4.20.0

Fixed

5.4.238

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.176

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.104

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.21

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.8