From 4d3efa2e0583bb0112f1461e699f00cdd50e4e64 Mon Sep 17 00:00:00 2001 From: hanzhijian Date: Mon, 13 Jul 2026 09:43:11 +0800 Subject: [PATCH] drivers/contactless: fix uninitialized uid leak in mfrc522_read Fix security issue where uninitialized kernel stack contents could be leaked to userspace when mfrc522_picc_select() fails. In mfrc522_read(), the local variable 'uid' was not initialized before being passed to mfrc522_picc_select(). If the function fails (e.g., due to bad data on the SPI bus), the uninitialized uid.sak value could pass the PICC_TYPE_NOT_COMPLETE check, causing snprintf() to copy uninitialized kernel stack data to the userspace buffer. Fixes #19417 Signed-off-by: hanzhijian Author: hanzhijian --- drivers/contactless/mfrc522.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/contactless/mfrc522.c b/drivers/contactless/mfrc522.c index db03cc79004d2..0d85dc251ecc3 100644 --- a/drivers/contactless/mfrc522.c +++ b/drivers/contactless/mfrc522.c @@ -1480,6 +1480,7 @@ static ssize_t mfrc522_read(FAR struct file *filep, FAR char *buffer, FAR struct inode *inode; FAR struct mfrc522_dev_s *dev; FAR struct picc_uid_s uid; + int ret; inode = filep->f_inode; @@ -1496,7 +1497,13 @@ static ssize_t mfrc522_read(FAR struct file *filep, FAR char *buffer, /* Now read the UID */ - mfrc522_picc_select(dev, &uid, 0); + memset(&uid, 0, sizeof(uid)); + ret = mfrc522_picc_select(dev, &uid, 0); + if (ret < 0) + { + ctlserr("Failed to select PICC: %d\n", ret); + return ret; + } if (uid.sak != PICC_TYPE_NOT_COMPLETE) {