From: Simon Horman <horms@kernel.org>
To: zhanghao <zhanghao1@kylinos.cn>
Cc: bongsu.jeon@samsung.com, krzk@kernel.org,
syzbot+3da70a0abd7f5765b6ea@syzkaller.appspotmail.com,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH] nfc: nci: Fix uninit-value in nci_rx_work()
Date: Sun, 4 Aug 2024 11:57:16 +0100 [thread overview]
Message-ID: <20240804105716.GA2581863@kernel.org> (raw)
In-Reply-To: <20240803121817.383567-1-zhanghao1@kylinos.cn>
On Sat, Aug 03, 2024 at 08:18:17PM +0800, zhanghao wrote:
> Commit e624e6c3e777 ("nfc: Add a virtual nci device driver")
> calls alloc_skb() with GFP_KERNEL as the argument flags.The
> allocated heap memory was not initialized.This causes KMSAN
> to detect an uninitialized value.
>
> Reported-by: syzbot+3da70a0abd7f5765b6ea@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3da70a0abd7f5765b6ea
Hi,
I wonder if the problem reported above is caused by accessing packet
data which is past the end of what is copied in virtual_ncidev_write().
I.e. count is unusually short and this is not being detected.
> Fixes: e624e6c3e777 ("nfc: Add a virtual nci device driver")
> Link: https://lore.kernel.org/all/000000000000747dd6061a974686@google.com/T/
> Signed-off-by: zhanghao <zhanghao1@kylinos.cn>
> ---
> drivers/nfc/virtual_ncidev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/nfc/virtual_ncidev.c b/drivers/nfc/virtual_ncidev.c
> index 6b89d596ba9a..ae1592db131e 100644
> --- a/drivers/nfc/virtual_ncidev.c
> +++ b/drivers/nfc/virtual_ncidev.c
> @@ -117,7 +117,7 @@ static ssize_t virtual_ncidev_write(struct file *file,
> struct virtual_nci_dev *vdev = file->private_data;
> struct sk_buff *skb;
>
> - skb = alloc_skb(count, GFP_KERNEL);
> + skb = alloc_skb(count, GFP_KERNEL|__GFP_ZERO);
> if (!skb)
> return -ENOMEM;
I'm not sure this helps wrt initialising the memory as immediately below there
is;
if (copy_from_user(skb_put(skb, count), buf, count)) {
...
Which I assume will initialise count bytes of skb data.
next prev parent reply other threads:[~2024-08-04 10:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-03 12:18 [PATCH] nfc: nci: Fix uninit-value in nci_rx_work() zhanghao
2024-08-04 10:57 ` Simon Horman [this message]
2024-08-05 8:20 ` Krzysztof Kozlowski
2024-08-08 0:59 ` zhanghao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240804105716.GA2581863@kernel.org \
--to=horms@kernel.org \
--cc=bongsu.jeon@samsung.com \
--cc=krzk@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+3da70a0abd7f5765b6ea@syzkaller.appspotmail.com \
--cc=zhanghao1@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.