From: Miquel Raynal <miquel.raynal@bootlin.com>
To: Zhang Shurong <zhang_shurong@foxmail.com>
Cc: alex.aring@gmail.com, stefan@datenfreihafen.org,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, linux-wpan@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
harperchen1110@gmail.com
Subject: Re: [PATCH RESEND] mac802154: Fix uninit-value access in ieee802154_hdr_push_sechdr
Date: Mon, 4 Dec 2023 09:57:18 +0100 [thread overview]
Message-ID: <20231204095718.40ccb1ee@xps-13> (raw)
In-Reply-To: <tencent_1C04CA8D66ADC45608D89687B4020B2A8706@qq.com>
Hi Zhang,
zhang_shurong@foxmail.com wrote on Sat, 2 Dec 2023 22:58:52 +0800:
> The syzkaller reported an issue:
Subject should start with [PATCH wpan]
>
> BUG: KMSAN: uninit-value in ieee802154_hdr_push_sechdr net/ieee802154/header_ops.c:54 [inline]
> BUG: KMSAN: uninit-value in ieee802154_hdr_push+0x971/0xb90 net/ieee802154/header_ops.c:108
> ieee802154_hdr_push_sechdr net/ieee802154/header_ops.c:54 [inline]
> ieee802154_hdr_push+0x971/0xb90 net/ieee802154/header_ops.c:108
> ieee802154_header_create+0x9c0/0xc00 net/mac802154/iface.c:396
> wpan_dev_hard_header include/net/cfg802154.h:494 [inline]
> dgram_sendmsg+0xd1d/0x1500 net/ieee802154/socket.c:677
> ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
> sock_sendmsg_nosec net/socket.c:725 [inline]
> sock_sendmsg net/socket.c:748 [inline]
> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2494
> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2548
> __sys_sendmsg+0x225/0x3c0 net/socket.c:2577
> __compat_sys_sendmsg net/compat.c:346 [inline]
> __do_compat_sys_sendmsg net/compat.c:353 [inline]
> __se_compat_sys_sendmsg net/compat.c:350 [inline]
>
> We found hdr->key_id_mode is uninitialized in mac802154_set_header_security()
> which indicates hdr.fc.security_enabled should be 0. However, it is set to be cb->secen before.
> Later, ieee802154_hdr_push_sechdr is invoked, causing KMSAN complains uninit-value issue.
I am not too deeply involved in the security header but for me it feels
like your patch does the opposite of what's needed. We should maybe
initialize hdr->key_id_mode based on the value in cb->secen, no? (maybe
Alexander will have a better understanding than I have).
> Since mac802154_set_header_security() sets hdr.fc.security_enabled based on the variables
> ieee802154_sub_if_data *sdata and ieee802154_mac_cb *cb in a collaborative manner.
> Therefore, we should not set security_enabled prior to mac802154_set_header_security().
>
> Fixed it by removing the line that sets the hdr.fc.security_enabled.
>
> Syzkaller don't provide repro, and I provide a syz repro like:
> r0 = syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
> setsockopt$WPAN_SECURITY(r0, 0x0, 0x1, &(0x7f0000000000)=0x2, 0x4)
> setsockopt$WPAN_SECURITY(r0, 0x0, 0x1, &(0x7f0000000080), 0x4)
> sendmsg$802154_dgram(r0, &(0x7f0000000100)={&(0x7f0000000040)={0x24, @short}, 0x14, &(0x7f00000000c0)={0x0}}, 0x0)
>
> Fixes: 32edc40ae65c ("ieee802154: change _cb handling slightly")
> Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
> ---
This is a resend, a message in a shortlog to express why is welcome. If
it's a ping, then no need to resend.
> net/mac802154/iface.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
> index c0e2da5072be..c99b6e40a5db 100644
> --- a/net/mac802154/iface.c
> +++ b/net/mac802154/iface.c
> @@ -368,7 +368,6 @@ static int ieee802154_header_create(struct sk_buff *skb,
>
> memset(&hdr.fc, 0, sizeof(hdr.fc));
> hdr.fc.type = cb->type;
> - hdr.fc.security_enabled = cb->secen;
> hdr.fc.ack_request = cb->ackreq;
> hdr.seq = atomic_inc_return(&dev->ieee802154_ptr->dsn) & 0xFF;
>
Thanks,
Miquèl
next prev parent reply other threads:[~2023-12-04 8:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-02 14:58 [PATCH RESEND] mac802154: Fix uninit-value access in ieee802154_hdr_push_sechdr Zhang Shurong
2023-12-04 8:57 ` Miquel Raynal [this message]
2023-12-15 3:01 ` Alexander Aring
2023-12-15 3:03 ` Alexander Aring
2024-01-12 13:15 ` Nikita Zhandarovich
2024-01-15 3:32 ` Alexander Aring
2024-01-18 1:42 ` Alexander Aring
2024-01-18 13:00 ` Nikita Zhandarovich
2024-02-05 19:49 ` Alexander Aring
2024-02-06 18:15 ` Nikita Zhandarovich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231204095718.40ccb1ee@xps-13 \
--to=miquel.raynal@bootlin.com \
--cc=alex.aring@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=harperchen1110@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stefan@datenfreihafen.org \
--cc=zhang_shurong@foxmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).