CVE-2024-46676
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-46676
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46676.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-46676
- Downstream
- Related
- Published
- 2024-09-13T06:15:12Z
- Modified
- 2025-08-09T19:01:27Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: Add poll mod list filling check
In case of improtocols value is 1 and tmprotocols value is 0 this combination successfully passes the check 'if (!improtocols && !tmprotocols)' in the nfcstartpoll(). But then after pn533pollcreatemodlist() call in pn533startpoll() poll mod list will remain empty and dev->pollmodcount will remain 0 which lead to division by zero.
Normally no im protocol has value 1 in the mask, so this combination is not expected by driver. But these protocol values actually come from userspace via Netlink interface (NFCCMDSTARTPOLL operation). So a broken or malicious program may pass a message containing a "bad" combination of protocol parameter values so that dev->pollmodcount is not incremented inside pn533pollcreatemodlist(), thus leading to division by zero. Call trace looks like: nfcgenlstartpoll() nfcstartpoll() ->startpoll() pn533start_poll()
Add poll mod list filling check.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
- References
-
- https://git.kernel.org/stable/c/56ad559cf6d87f250a8d203b555dfc3716afa946
- https://git.kernel.org/stable/c/64513d0e546a1f19e390f7e5eba3872bfcbdacf5
- https://git.kernel.org/stable/c/7535db0624a2dede374c42040808ad9a9101d723
- https://git.kernel.org/stable/c/7ecd3dd4f8eecd3309432156ccfe24768e009ec4
- https://git.kernel.org/stable/c/8ddaea033de051ed61b39f6b69ad54a411172b33
- https://git.kernel.org/stable/c/c5e05237444f32f6cfe5d907603a232c77a08b31
- https://git.kernel.org/stable/c/febccb39255f9df35527b88c953b2e0deae50e53