Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb

Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

net/nfc/nci/core.c:1210:30: error: static assertion failed due to requirement '__builtin_types_compatible_p(struct nfc_dev, struct nfc_dev *) || __builtin_types_compatible_p(struct nfc_dev, void)': pointer type mismatch in container_of()


Tested on:

commit:         aea6bf90 Merge tag 'f2fs-for-6.7-rc1' of git://git.ker..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=93ac5233c138249e
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1750e11f680000

Re: [syzbot] [PATCH] Test for aea6bf908d73

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com

please test uaf in nfc_alloc_send_skb

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..016364890357 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1640,11 +1640,14 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
 void nfc_llcp_unregister_device(struct nfc_dev *dev)
 {
 	struct nfc_llcp_local *local = nfc_llcp_remove_local(dev);
+	struct nfc_llcp_sock *nls;
 
 	if (local == NULL) {
 		pr_debug("No such device\n");
 		return;
 	}
+	nls = container_of(local, struct nfc_llcp_sock, local);
+	nls->local = NULL;
 
 	local_cleanup(local);
 

Re: [syzbot] [PATCH] Test for aea6bf908d73

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com

please test uaf in nfc_alloc_send_skb

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..4959163d8dc5 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -113,6 +113,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
 		bh_unlock_sock(sk);
 
 		sk_del_node_init(sk);
+		llcp_sock->local = NULL;
 	}
 
 	write_unlock(&local->sockets.lock);
-- 
2.25.1

Re: [syzbot] [PATCH] Test for aea6bf908d73

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com

please test uaf in nfc_alloc_send_skb

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73


From d6bab181339771591ed9519dced29a8eb20ddadc Mon Sep 17 00:00:00 2001
From: Lizhi Xu <lizhi.xu@windriver.com>
Date: Thu, 9 Nov 2023 21:31:26 +0800
Subject: [PATCH] nfc/nci: fix uaf in nfc_alloc_send_skb

After releasing the nfc/nci device, nfc_llcp_sock->local should be set to null
to avoid referencing expired devices.

Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
 net/nfc/llcp_core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..024cbba26fc8 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -102,6 +102,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
 				accept_sk->sk_state_change(sk);
 
 				bh_unlock_sock(accept_sk);
+				lsk->local = NULL;
 			}
 		}
 
@@ -113,6 +114,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
 		bh_unlock_sock(sk);
 
 		sk_del_node_init(sk);
+		llcp_sock->local = NULL;
 	}
 
 	write_unlock(&local->sockets.lock);
-- 
2.25.1

Re: [syzbot] [PATCH] Fix the null pointer deference in nsim_setup_prog_hw_checks

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] Fix the null pointer deference in nsim_setup_prog_hw_checks
Author: kdipendra88@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 8de1e7afcc1c

Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
---
 drivers/net/netdevsim/bpf.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c
index f60eb97e3a62..89206278b6cc 100644
--- a/drivers/net/netdevsim/bpf.c
+++ b/drivers/net/netdevsim/bpf.c
@@ -317,9 +317,11 @@ nsim_setup_prog_hw_checks(struct netdevsim *ns, struct netdev_bpf *bpf)
 	}
 
 	state = bpf->prog->aux->offload->dev_priv;
-	if (WARN_ON(strcmp(state->state, "xlated"))) {
-		NSIM_EA(bpf->extack, "offloading program in bad state");
-		return -EINVAL;
+	if(state) {
+		if (WARN_ON(strcmp(state->state, "xlated"))) {
+			NSIM_EA(bpf->extack, "offloading program in bad state");
+			return -EINVAL;
+		}
 	}
 	return 0;
 }
-- 
2.34.1

Re: [syzbot] [PATCH] test aea6bf908d73

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] test aea6bf908d73
Author: lizhi.xu@windriver.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73

diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..6ba43a0369d3 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -738,7 +738,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 
 	pr_debug("Send UI frame len %zd\n", len);
 
-	local = sock->local;
+	local = nfc_llcp_find_local(sock->dev);
 	if (local == NULL)
 		return -ENODEV;
 
-- 
2.25.1

Re: [syzbot] [PATCH] test aea6bf908d73

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] test aea6bf908d73
Author: lizhi.xu@windriver.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73

diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..6ba43a0369d3 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -738,7 +738,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 
 	pr_debug("Send UI frame len %zd\n", len);
 
-	local = sock->local;
+	local = nfc_llcp_find_local(sock->dev);
 	if (local == NULL)
 		return -ENODEV;
 
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..150d0e24e27c 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -284,6 +284,7 @@ struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev)
 	spin_lock(&llcp_devices_lock);
 	list_for_each_entry(local, &llcp_devices, list)
 		if (local->dev == dev) {
+			printk("finded: %p, d: %p, %s\n", local, dev, __func__);
 			res = nfc_llcp_local_get(local);
 			break;
 		}
@@ -299,6 +300,7 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
 	spin_lock(&llcp_devices_lock);
 	list_for_each_entry_safe(local, tmp, &llcp_devices, list)
 		if (local->dev == dev) {
+			printk("deled: l: %p, d: %p, %s\n", local, dev, __func__);
 			list_del(&local->list);
 			spin_unlock(&llcp_devices_lock);
 			return local;

Re: [syzbot] [PATCH] Test for aea6bf908d73

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com

please test uaf in nfc_alloc_send_skb

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73

diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..f5dd2d7e41de 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -738,7 +738,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 
 	pr_debug("Send UI frame len %zd\n", len);
 
-	local = sock->local;
+	local = nfc_llcp_find_local(sock->dev);
+	printk("finded: %p, d: %p, %s\n", local, sock->dev, __func__);
 	if (local == NULL)
 		return -ENODEV;
 
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..8d47f17da904 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -299,6 +299,7 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
 	spin_lock(&llcp_devices_lock);
 	list_for_each_entry_safe(local, tmp, &llcp_devices, list)
 		if (local->dev == dev) {
+			printk("deled: l: %p, d: %p, %s\n", local, dev, __func__);
 			list_del(&local->list);
 			spin_unlock(&llcp_devices_lock);
 			return local;
-- 
2.25.1

Re: [syzbot] [PATCH] Test for aea6bf908d73

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com

please test uaf in nfc_alloc_send_skb

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73

diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..05b21ced9e1f 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -754,6 +754,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 	remaining_len = len;
 	msg_ptr = msg_data;
 
+	bh_lock_sock(sock);
 	do {
 		remote_miu = sock->remote_miu > LLCP_MAX_MIU ?
 				local->remote_miu : sock->remote_miu;
@@ -784,6 +785,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 		remaining_len -= frag_len;
 		msg_ptr += frag_len;
 	} while (remaining_len > 0);
+	bh_unlock_sock(sock);
 
 	kfree(msg_data);
 
-- 
2.25.1

[syzbot] [PATCH] Test for aea6bf908d73

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com

please test uaf in nfc_alloc_send_skb

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73

diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 6c9592d05120..b463452c507e 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -30,6 +30,7 @@
 #include <net/nfc/nci.h>
 #include <net/nfc/nci_core.h>
 #include <linux/nfc.h>
+#include "../llcp.h"
 
 struct core_conn_create_data {
 	int length;
@@ -1206,6 +1207,9 @@ EXPORT_SYMBOL(nci_allocate_device);
  */
 void nci_free_device(struct nci_dev *ndev)
 {
+	struct nfc_llcp_sock *nls = container_of(ndev->nfc_dev, 
+			struct nfc_llcp_sock, dev);
+	nls->local = NULL;
 	nfc_free_device(ndev->nfc_dev);
 	nci_hci_deallocate(ndev);
 	kfree(ndev);