| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Apr 2024 11:55:54 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Ryosuke Yasuoka <ryasuoka@...hat.com>
Cc: krzysztof.kozlowski@...aro.org, davem@...emloft.net, kuba@...nel.org,
pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syoshida@...hat.com
Subject: Re: [PATCH net] nfc: nci: Fix uninit-value in nci_rx_work
On Sun, Apr 7, 2024 at 10:05 AM Ryosuke Yasuoka <ryasuoka@...hat.com> wrote:
>
> syzbot reported the following uninit-value access issue [1]
>
> nci_rx_work() parses received packet from ndev->rx_q. It should be
> checked skb->len is non-zero to verify if it is valid before processing
> the packet. If skb->len is zero but skb->data is not, such packet is
> invalid and should be silently discarded.
>
> Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
> Reported-and-tested-by: syzbot+d7b4dc6cd50410152534@...kaller.appspotmailcom
> Closes: https://syzkaller.appspot.com/bug?extid=d7b4dc6cd50410152534 [1]
> Signed-off-by: Ryosuke Yasuoka <ryasuoka@...hat.com>
> ---
> net/nfc/nci/core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
> index 0d26c8ec9993..b7a020484131 100644
> --- a/net/nfc/nci/core.c
> +++ b/net/nfc/nci/core.c
> @@ -1516,7 +1516,7 @@ static void nci_rx_work(struct work_struct *work)
> nfc_send_to_raw_sock(ndev->nfc_dev, skb,
> RAW_PAYLOAD_NCI, NFC_DIRECTION_RX);
>
> - if (!nci_plen(skb->data)) {
> + if (!skb->len || !nci_plen(skb->data)) {
#define nci_plen(hdr) (__u8)((hdr)[2])
So your patch will not help if skb->len is 1 or 2.
Powered by blists - more mailing lists