Skip to content

drivers/contactless/pn532: Fix Stack Overflow in PN532 Contactless Dr…#19132

Merged
xiaoxiang781216 merged 1 commit into
apache:masterfrom
catalinv-ncc:bug/Stack_Overflow_in_PN532_Contactless_Driver
Jun 14, 2026
Merged

drivers/contactless/pn532: Fix Stack Overflow in PN532 Contactless Dr…#19132
xiaoxiang781216 merged 1 commit into
apache:masterfrom
catalinv-ncc:bug/Stack_Overflow_in_PN532_Contactless_Driver

Conversation

@catalinv-ncc

@catalinv-ncc catalinv-ncc commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

drivers/contactless/pn532: Fix Stack Overflow in PN532 Contactless Driver

It addresses an earlier incomplete fix.
Tested locally, builds fine, simple fix.

Summary

The PN532 driver contains a buffer overflow, in ioctl . Untrusted content is given to the
device in arg :

static int _ioctl(FAR struct file *filep, int cmd, unsigned long arg)
{
...
switch (cmd)
{
...
  case PN532IOC_SET_RF_CONF:
    pn532_set_rf_config(dev, (FAR struct pn_rf_config_s*) arg);
    break;
... 
}

The RF Configuration command is described in Section 7.3.1 of the PN532 user guide (https://www.nxp.com/docs/en/user-guide/141520.pdf).

begin_packed_struct struct pn532_frame
{
  uint8_t  preamble;    /* 0x00 */
  uint16_t start_code;  /* 0x00FF (BE) -> 0xFF00 (LE) */
  uint8_t  len;         /* 1 byte indicating the number of bytes in
                         * the data field */
  uint8_t  lcs;         /* 1 Packet Length Checksum LCS byte that satisfies
                         * the relation:  Lower byte of [LEN + LCS] = 00h */
  uint8_t  tfi;         /* Frame identifier 0xD4, 0xD5 */
  uint8_t  data[];      /* LEN-1 bytes of Packet Data Information.
                         * The first byte PD0 is the Command Code */
} end_packed_struct;

In the following structure conf is untrusted. The frame pointer f uses the cmd_buffer for
storage and the maximum data size it can write is 16 bytes (because the first 6 bytes are
used by preamble to tfi). Note however that attacker controlled conf->data_size length is used to write attacker controlled content conf->config into kernel stack memory, and may
be able to cause a privilege escalation.

bool pn532_set_rf_config(struct pn532_dev_s * dev,
                         struct pn_rf_config_s * conf)
{
  bool res = false;
  uint8_t cmd_buffer[15 + 7];
  FAR struct pn532_frame *f = (FAR struct pn532_frame *) cmd_buffer;

  pn532_frame_init(f, PN532_COMMAND_RFCONFIGURATION);
  f->data[1] = conf->cfg_item;
  memcpy(&f->data[2], conf->config, conf->data_size);
  f->len += conf->data_size + 1;
  pn532_frame_finish(f);

Impact

When calling Set RF Configuration command, a compromised user process can trigger memory corruption in the kernel. This can lead to a system crash or potentially arbitrary code execution in the kernel.

Testing

Tested locally, after changes made with menuconfig to include the contactless driver in the build:

$ make
Create version.h
LD: nuttx

Signed-off-by: Catalin Visinescu catalin_visinescu@yahoo.com

@catalinv-ncc
drivers/contactless/pn532: Fix Stack Overflow in PN532 Contactless Dr…
ca486ce 
…iver

When calling Set RF Configuration command, a compromised user
process can trigger memory corruption in the kernel. This can
lead to a system crash or potentially arbitrary code execution
in the kernel.

It addresses an earlier incomplete fix.

Tested locally.

Signed-off-by: Your Name <catalin_visinescu@yahoo.com>
@github-actions github-actions Bot added the Size: XS The size of the change in this PR is very small label Jun 13, 2026
@xiaoxiang781216 xiaoxiang781216 merged commit ef211d6 into apache:master Jun 14, 2026
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@acassis acassis acassis approved these changes

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 approved these changes

@jerpelea jerpelea Awaiting requested review from jerpelea jerpelea is a code owner

Assignees

No one assigned

Labels

Size: XS The size of the change in this PR is very small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@catalinv-ncc @acassis @xiaoxiang781216