CVE-2022-26490: Analysis of EVT_TRANSACTION Buffer Overflow Vulnerability in ST21NFCA NFC Driver in Linux Kernel (5.16.12 and earlier)

Summary: A security vulnerability identified as CVE-2022-26490 was discovered in the Linux kernel through 5.16.12. The issue resides in the st21nfca_connectivity_event_received function within the drivers/nfc/st21nfca/se.c file. The vulnerability may lead to EVT_TRANSACTION buffer overflows due to untrusted length parameters. This post will examine the underlying code, provide original references, and in-depth exploit details.

Introduction: Near Field Communication (NFC) technology allows for secure wireless communication between devices over short distances. The Linux kernel includes drivers for various NFC chipsets, including the ST21NFCA NFC chip found in some smartphones and other devices. The vulnerability impacts devices using this particular NFC chipset and may result in a buffer overflow, potentially allowing attackers to execute arbitrary code.

Code Snippet

Affected code: drivers/nfc/st21nfca/se.c (in the Linux kernel prior to 5.16.13)

static void st21nfca_connectivity_event_received(struct st21nfca_hci_info *info,
u8 *data, int datalen)
{
  ...
  while (datalen >= EVT_TRANSACTION_HDR_LEN) {
    if (datalen > (data[1] + EVT_TRANSACTION_HDR_LEN))
      return;
      len = min_t(int, data[1], datalen - EVT_TRANSACTION_HDR_LEN);
      remove_len = data[1] + EVT_TRANSACTION_HDR_LEN;
  ...
}

In the st21nfca_connectivity_event_received function, 'data' is an untrusted buffer containing EVT_TRANSACTION events received from the ST21NFCA chip. The function processes the data buffer according to the length parameters specified within the buffer, allowing an attacker to potentially manipulate the length and trigger a buffer overflow.

Original References

1. Linux kernel source prior to 5.16.13: link to the source code repository
2. STMicroelectronics ST21NFCA NFC driver: link to the product page

Exploit Details

An attacker with physical access to a device or able to send malicious EVT_TRANSACTION events from nearby, may exploit this vulnerability by manipulating the length parameters within the seized data buffer. This might result in a buffer overflow, potentially allowing the attacker to execute arbitrary code or cause a denial of service by crashing the affected device.

The attacker may craft specially designed EVT_TRANSACTION events that include manipulated length parameters to cause the data buffer to overflow. This EVT_TRANSACTION data buffer may then be processed within the st21nfca_connectivity_event_received function, resulting in a buffer overflow and possible arbitrary code execution or denial of service.

Mitigation and Recommendations

Updating the Linux kernel to version 5.16.13 or later should resolve this vulnerability. Maintainers of the later affected Linux kernel have already patched the issue.

For older kernels or custom builds, applying this patch link to the patch should help resolve the issue.

It is recommended to keep the kernel and other system software up-to-date as a best practice to prevent exploitation of known vulnerabilities. Additionally, only enabling NFC when necessary and disabling it when not in use can help minimize the attack surface.

Conclusion

CVE-2022-26490 is a critical vulnerability present in the Linux kernel through 5.16.12 affecting the st21nfca_connectivity_event_received function in drivers/nfc/st21nfca/se.c. The issue can result in EVT_TRANSACTION buffer overflows due to untrusted length parameters, potentially allowing for arbitrary code execution or denial of service. It is crucial for affected devices to update their kernel and apply available patches to mitigate this vulnerability.

Timeline

Published on: 03/06/2022 04:15:00 UTC
Last modified on: 07/04/2022 11:15:00 UTC