CVE-2024-46676
NFC Pn533 Linux Kernel Division By Zero Vulnerability
Description
In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Add poll mod list filling check In case of im_protocols value is 1 and tm_protocols value is 0 this combination successfully passes the check 'if (!im_protocols && !tm_protocols)' in the nfc_start_poll(). But then after pn533_poll_create_mod_list() call in pn533_start_poll() poll mod list will remain empty and dev->poll_mod_count will remain 0 which lead to division by zero. Normally no im protocol has value 1 in the mask, so this combination is not expected by driver. But these protocol values actually come from userspace via Netlink interface (NFC_CMD_START_POLL operation). So a broken or malicious program may pass a message containing a "bad" combination of protocol parameter values so that dev->poll_mod_count is not incremented inside pn533_poll_create_mod_list(), thus leading to division by zero. Call trace looks like: nfc_genl_start_poll() nfc_start_poll() ->start_poll() pn533_start_poll() Add poll mod list filling check. Found by Linux Verification Center (linuxtesting.org) with SVACE.
INFO
Published Date :
Sept. 13, 2024, 6:15 a.m.
Last Modified :
Sept. 23, 2024, 2:42 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
3.6
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-46676.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-46676 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-46676 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Sep. 23, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Changed Reference Type https://git.kernel.org/stable/c/56ad559cf6d87f250a8d203b555dfc3716afa946 No Types Assigned https://git.kernel.org/stable/c/56ad559cf6d87f250a8d203b555dfc3716afa946 Patch Changed Reference Type https://git.kernel.org/stable/c/64513d0e546a1f19e390f7e5eba3872bfcbdacf5 No Types Assigned https://git.kernel.org/stable/c/64513d0e546a1f19e390f7e5eba3872bfcbdacf5 Patch Changed Reference Type https://git.kernel.org/stable/c/7535db0624a2dede374c42040808ad9a9101d723 No Types Assigned https://git.kernel.org/stable/c/7535db0624a2dede374c42040808ad9a9101d723 Patch Changed Reference Type https://git.kernel.org/stable/c/7ecd3dd4f8eecd3309432156ccfe24768e009ec4 No Types Assigned https://git.kernel.org/stable/c/7ecd3dd4f8eecd3309432156ccfe24768e009ec4 Patch Changed Reference Type https://git.kernel.org/stable/c/8ddaea033de051ed61b39f6b69ad54a411172b33 No Types Assigned https://git.kernel.org/stable/c/8ddaea033de051ed61b39f6b69ad54a411172b33 Patch Changed Reference Type https://git.kernel.org/stable/c/c5e05237444f32f6cfe5d907603a232c77a08b31 No Types Assigned https://git.kernel.org/stable/c/c5e05237444f32f6cfe5d907603a232c77a08b31 Patch Changed Reference Type https://git.kernel.org/stable/c/febccb39255f9df35527b88c953b2e0deae50e53 No Types Assigned https://git.kernel.org/stable/c/febccb39255f9df35527b88c953b2e0deae50e53 Patch Added CWE NIST CWE-369 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.12 up to (excluding) 5.4.283 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.225 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.166 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.108 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.49 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.10.8 *cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:* -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Sep. 13, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Add poll mod list filling check In case of im_protocols value is 1 and tm_protocols value is 0 this combination successfully passes the check 'if (!im_protocols && !tm_protocols)' in the nfc_start_poll(). But then after pn533_poll_create_mod_list() call in pn533_start_poll() poll mod list will remain empty and dev->poll_mod_count will remain 0 which lead to division by zero. Normally no im protocol has value 1 in the mask, so this combination is not expected by driver. But these protocol values actually come from userspace via Netlink interface (NFC_CMD_START_POLL operation). So a broken or malicious program may pass a message containing a "bad" combination of protocol parameter values so that dev->poll_mod_count is not incremented inside pn533_poll_create_mod_list(), thus leading to division by zero. Call trace looks like: nfc_genl_start_poll() nfc_start_poll() ->start_poll() pn533_start_poll() Add poll mod list filling check. Found by Linux Verification Center (linuxtesting.org) with SVACE. Added Reference kernel.org https://git.kernel.org/stable/c/c5e05237444f32f6cfe5d907603a232c77a08b31 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/8ddaea033de051ed61b39f6b69ad54a411172b33 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/7535db0624a2dede374c42040808ad9a9101d723 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/7ecd3dd4f8eecd3309432156ccfe24768e009ec4 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/56ad559cf6d87f250a8d203b555dfc3716afa946 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/64513d0e546a1f19e390f7e5eba3872bfcbdacf5 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/febccb39255f9df35527b88c953b2e0deae50e53 [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-46676 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-46676
weaknesses.