In June 2024, a critical vulnerability CVE-2024-35915 was fixed within the Linux kernel’s NFC NCI subsystem. This flaw could allow attackers to exploit uninitialized values when handling NFC packets, leading to potential data leaks, information disclosure, or even further privilege escalations. This post gives you an easy-to-understand breakdown of the bug, the fix, the possible exploit path, original references, and example code, so you know exactly what's going on and how it was resolved.
What is CVE-2024-35915?
The vulnerability was found in the way the NCI (NFC Controller Interface) stack processed incoming NFC packets within the nci_rx_work() function. If a specially crafted packet arrived with a zero-length payload, subsequent code would try to read that payload—even though it didn't exist. This is called an uninitialized value read, which, in memory-safe terms, is a big no-no.
Reference:
- syzbot report 1
- syzbot report 2
How Did This Vulnerability Happen?
In the original code, all NCI message type handlers would assume the payload was valid. But, with a payload size of zero, any access into it led to undefined memory being read.
Original Vulnerable Code (Example)
void nci_rx_work(struct work_struct *work) {
struct nci_dev *ndev = ...;
struct sk_buff *skb = ...;
// parsing incoming packets
struct nci_ctrl_hdr *hdr = (struct nci_ctrl_hdr *)skb->data;
u8 type = nci_mt(hdr->gid);
u8 *payload = skb->data + NCI_CTRL_HDR_SIZE;
u16 payload_len = nci_plen(hdr);
/* Vulnerable: always passing payload to handlers, without checking length */
switch (type) {
case NCI_MT_NTF:
nci_ntf_packet(ndev, payload, payload_len);
break;
// others ...
}
}
Later in nci_ntf_packet(...), the code would access payload[] and so on without making sure it's actually there.
How Was It Discovered?
This vulnerability was spotted by syzbot, a continuous fuzzing tool for the Linux kernel. Google’s KMSAN (Kernel Memory Sanitizer) found that sometimes these message handler functions were reading “garbage,” i.e., memory that was neither initialized nor valid. See the syzbot bug here.
How Was It Fixed?
The maintainers patched the code to check the payload length is non-zero before passing it over to message handler functions:
Fixed Code Example
void nci_rx_work(struct work_struct *work) {
struct nci_dev *ndev = ...;
struct sk_buff *skb = ...;
struct nci_ctrl_hdr *hdr = (struct nci_ctrl_hdr *)skb->data;
u8 type = nci_mt(hdr->gid);
u8 *payload = skb->data + NCI_CTRL_HDR_SIZE;
u16 payload_len = nci_plen(hdr);
/* FIX: Only handle packets with non-zero payloads */
if (payload_len == )
return; // Silently drop broken/empty packets
switch (type) {
case NCI_MT_NTF:
nci_ntf_packet(ndev, payload, payload_len);
break;
// others ...
}
}
Now, if the payload is zero, the kernel discards the packet and avoids undefined reads.
How Could This Be Exploited?
A malicious actor, or an accidental bug, could send NFC packets over a local wireless/NFC interface that purposely have a zero-length payload. Because Linux lacks checks until this patch, the kernel’s later logic would use “whatever is in RAM” as user data, allowing:
Possible kernel crashes if the memory happens to be bad pointers.
NOTE: This isn’t remotely exploitable across the Internet—but physical or local attackers, or others with NFC access could craft such packets and send them into the affected code path.
How Can I Protect My System?
- Update your Linux kernel to include the patch.
References & Further Reading
- Linux kernel patch
- syzbot bug 1
- syzbot bug 2
- Kernel NFC code
How to Test for this Issue (Proof of Concept)
Though this requires NFC hardware, here’s a conceptual C code snippet that would trigger the bug on a vulnerable kernel:
// Hypothetical code: sends a zero-length NCI notification packet
unsigned char pkt[] = {
x60, x00, // NCI Notification type, ... GID, OID
x00 // Payload length: (trigger the bug!)
};
write(nfc_socket, pkt, sizeof(pkt));
This would cause the kernel to call the handler with a zero-length payload, leading to undefined memory reads in unpatched systems.
Final Thoughts
While the exploitability of CVE-2024-35915 is limited by hardware and local access, it’s a great example of how subtle issues in kernel drivers can lead to critical flaws. Always take NFC and other local device drivers seriously, and update regularly. This bug also shows the power of automated fuzzers like syzbot to find corner-case bugs deep within the kernel.
If you maintain embedded Linux or distributions with NFC enabled, double-check your kernel version. CVE-2024-35915 is now resolved, but only if you upgrade.
*Written and summarized exclusively for this post. Share responsibly, and always patch promptly.*
Timeline
Published on: 05/19/2024 09:15:11 UTC
Last modified on: 02/03/2025 16:09:55 UTC