This is an automated email from the ASF dual-hosted git repository.
xiaoxiang781216 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git
The following commit(s) were added to refs/heads/master by this push:
new 20579ab531f drivers/contactless: fix uninitialized uid leak in
mfrc522_read
20579ab531f is described below
commit 20579ab531fe90cc4bfc2ea54af6cccb8cfba2a4
Author: hanzhijian <[email protected]>
AuthorDate: Mon Jul 13 09:43:11 2026 +0800
drivers/contactless: fix uninitialized uid leak in mfrc522_read
Fix security issue where uninitialized kernel stack contents could be
leaked to userspace when mfrc522_picc_select() fails.
In mfrc522_read(), the local variable 'uid' was not initialized before
being passed to mfrc522_picc_select(). If the function fails (e.g., due
to bad data on the SPI bus), the uninitialized uid.sak value could pass
the PICC_TYPE_NOT_COMPLETE check, causing snprintf() to copy
uninitialized kernel stack data to the userspace buffer.
Fixes #19417
Signed-off-by: hanzhijian <[email protected]>
Author: hanzhijian <[email protected]>
---
drivers/contactless/mfrc522.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/contactless/mfrc522.c b/drivers/contactless/mfrc522.c
index 003f671e625..a43d5f65e9e 100644
--- a/drivers/contactless/mfrc522.c
+++ b/drivers/contactless/mfrc522.c
@@ -1480,6 +1480,7 @@ static ssize_t mfrc522_read(FAR struct file *filep, FAR
char *buffer,
FAR struct inode *inode;
FAR struct mfrc522_dev_s *dev;
FAR struct picc_uid_s uid;
+ int ret;
inode = filep->f_inode;
@@ -1496,7 +1497,13 @@ static ssize_t mfrc522_read(FAR struct file *filep, FAR
char *buffer,
/* Now read the UID */
- mfrc522_picc_select(dev, &uid, 0);
+ memset(&uid, 0, sizeof(uid));
+ ret = mfrc522_picc_select(dev, &uid, 0);
+ if (ret < 0)
+ {
+ ctlserr("Failed to select PICC: %d\n", ret);
+ return ret;
+ }
if (uid.sak != PICC_TYPE_NOT_COMPLETE)
{