CVE-2025-40043

In the Linux kernel, the following vulnerability has been resolved:

net: nfc: nci: Add parameter validation for packet data

Syzbot reported an uninitialized value bug in nciinitreq, which was introduced by commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").

This bug arises due to very limited and poor input validation that was done at nicvalidsize(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of skb_buff->data which is not assigned anything yet.

Following the same silent drop of packets of invalid sizes at nic_valid_size(), add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in nci_nft_packet and effectively do a silent drop

Possible TODO: because we silently drop the packets, the call to nci_request will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export nci_request_cancel (or propagate error handling from the nft packets handlers).