| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Mar 2021 21:26:32 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: Alaa Emad <alaaemadhossney.ae@...il.com>,
johannes@...solutions.net, davem@...emloft.net, kuba@...nel.org
Cc: gregkh@...uxfoundation.org, linux-wireless@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller@...glegroups.com,
syzbot+72b99dcf4607e8c770f3@...kaller.appspotmail.com
Subject: Re: [PATCH v2] wireless/nl80211.c: fix uninitialized variable
On 3/30/21 7:22 PM, Alaa Emad wrote:
> This change fix KMSAN uninit-value in net/wireless/nl80211.c:225 , That
> because of `fixedlen` variable uninitialized,So I initialized it by zero.
>
> Reported-by: syzbot+72b99dcf4607e8c770f3@...kaller.appspotmail.com
> Signed-off-by: Alaa Emad <alaaemadhossney.ae@...il.com>
> ---
> Changes in v2:
> - Make the commit message more clearer.
> ---
> net/wireless/nl80211.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 775d0c4d86c3..b87ab67ad33d 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -210,7 +210,7 @@ static int validate_beacon_head(const struct nlattr *attr,
> const struct element *elem;
> const struct ieee80211_mgmt *mgmt = (void *)data;
> bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
> - unsigned int fixedlen, hdrlen;
> + unsigned int fixedlen = 0, hdrlen;
>
> if (s1g_bcn) {
> fixedlen = offsetof(struct ieee80211_ext,
>
What was the report exactly ?
Current code does :
unsigned int fixedlen;
if (s1g_bcn) {
fixedlen = something1;
...
else {
fixedlen = something2;
...
}
So your patch does nothing.
Initial value of @fixedlen is not relevant.
Reading this code (without access to KMSAN report) I suspect the issue
is more like the following :
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 775d0c4d86c3..d815261917ff 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -209,9 +209,12 @@ static int validate_beacon_head(const struct nlattr *attr,
unsigned int len = nla_len(attr);
const struct element *elem;
const struct ieee80211_mgmt *mgmt = (void *)data;
- bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
unsigned int fixedlen, hdrlen;
+ bool s1g_bcn;
+ if (len < offsetofend(typeof(*mgmt), frame_control))
+ goto err;
+ s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
if (s1g_bcn) {
fixedlen = offsetof(struct ieee80211_ext,
u.s1g_beacon.variable);
Powered by blists - more mailing lists