Re: Re: [PATCH net] nfc: pn533: Clear nfc_target in pn533_poll_dep_complete() before being used

[Minsuk Kang <linuxlovemin@yonsei.ac.kr>]

On Tue, Dec 13, 2022 at 11:45:53AM +0100, Krzysztof Kozlowski wrote:
> > This patch fixes a slab-out-of-bounds read in pn533 that occurs in
> 
> Do not use "This commit/patch".
> https://elixir.bootlin.com/linux/v5.17.1/source/Documentation/process/submitting-patches.rst#L95
> 
> > nla_put() called from nfc_genl_send_target() when target->sensb_res_len,
> > which is duplicated from nfc_target in pn533_poll_dep_complete(), is
> > too large as the nfc_target is not properly initialized and retains
> > garbage values. The patch clears the nfc_target before it is used.
> 
> Same here
> 
> > 
> > Found by a modified version of syzkaller.
> > 
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in nla_put+0xe0/0x120
> > Read of size 94 at addr ffff888109d1dfa0 by task syz-executor/4367
> > 
> > CPU: 0 PID: 4367 Comm: syz-executor Not tainted 5.14.0+ #171

[snip]

> > Memory state around the buggy address:
> >  ffff888109d1de80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> >  ffff888109d1df00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
> >> ffff888109d1df80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
> >                                                        ^
> >  ffff888109d1e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >  ffff888109d1e080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 
> Drop unrelated pieces of OOPS and keep only things which are relevant.
>

Thank you for the comments. I will update the commit message as advised
in v2.

> > ==================================================================
> > 
> > Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
> > Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
> > Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
> > Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
> 
> Reported-by is for crediting other people, not crediting yourself.
> Otherwise all my patches would be reported-by, right? Please drop this
> one and keep only credit for other people who actually reported it. It's
> anyway weird to see three people reporting one bug.
> 
> Additionally I really dislike private reports because they sometimes
> cannot be trusted (see all the fake report credits from running
> coccinelle by Hulk Robot and others)... Care to provide link to the
> reports of this bug?
> 

My intention was to credit all the people contributed to the
modification of syzkaller that led to this bug. But I will drop them in
v2.

> > Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
> > ---
> >  drivers/nfc/pn533/pn533.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
> > index d9f6367b9993..c6a611622668 100644
> > --- a/drivers/nfc/pn533/pn533.c
> > +++ b/drivers/nfc/pn533/pn533.c
> > @@ -1295,6 +1295,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg,
> >  	if (IS_ERR(resp))
> >  		return PTR_ERR(resp);
> > 
> > +	memset(&nfc_target, 0, sizeof(struct nfc_target));
> 
> There is one more place to fix in pn533_in_dep_link_up_complete()

Thank you. I will add a fix for it in v2.

Best regards,
Minsuk