lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251214001338.1127132-2-katharasasikumar007@gmail.com>
Date: Sun, 14 Dec 2025 00:13:39 +0000
From: Kathara Sasikumar <katharasasikumar007@...il.com>
To: alex.aring@...il.com, stefan@...enfreihafen.org, miquel.raynal@...tlin.com
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org, linux-wpan@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, shuah@...nel.org, skhan@...uxfoundation.org, Kathara Sasikumar <katharasasikumar007@...il.com>, syzbot+60a66d44892b66b56545@...kaller.appspotmail.com
Subject: [PATCH] mac802154: fix uninitialized security header fields

KMSAN reported an uninitialized-value access in
ieee802154_hdr_push_sechdr(). This happened because
mac802154_set_header_security() allowed frames with cb->secen=1 but
LLSEC disabled when secen_override=0, leaving parts of the security
header uninitialized.

Fix the validation so security-enabled frames are rejected whenever
LLSEC is disabled, regardless of secen_override. Also clear the full
header struct in the header creation functions to avoid partial
initialization.

Reported-by: syzbot+60a66d44892b66b56545@...kaller.appspotmail.com
Tested-by: syzbot+60a66d44892b66b56545@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=60a66d44892b66b56545
Signed-off-by: Kathara Sasikumar <katharasasikumar007@...il.com>
---
 net/mac802154/iface.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 9e4631fade90..a1222c1b62b3 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -328,8 +328,14 @@ static int mac802154_set_header_security(struct ieee802154_sub_if_data *sdata,
 
 	mac802154_llsec_get_params(&sdata->sec, &params);
 
-	if (!params.enabled && cb->secen_override && cb->secen)
-		return -EINVAL;
+	if (!cb->secen_override) {
+        	if (!params.enabled)
+                	return 0;
+	} else {
+        	if (cb->secen && !params.enabled)
+                	return -EINVAL;
+	}
+
 	if (!params.enabled ||
 	    (cb->secen_override && !cb->secen) ||
 	    !params.out_level)
@@ -366,7 +372,7 @@ static int ieee802154_header_create(struct sk_buff *skb,
 	if (!daddr)
 		return -EINVAL;
 
-	memset(&hdr.fc, 0, sizeof(hdr.fc));
+	memset(&hdr, 0, sizeof(hdr));
 	hdr.fc.type = cb->type;
 	hdr.fc.security_enabled = cb->secen;
 	hdr.fc.ack_request = cb->ackreq;
@@ -432,7 +438,7 @@ static int mac802154_header_create(struct sk_buff *skb,
 	if (!daddr)
 		return -EINVAL;
 
-	memset(&hdr.fc, 0, sizeof(hdr.fc));
+	memset(&hdr, 0, sizeof(hdr));
 	hdr.fc.type = IEEE802154_FC_TYPE_DATA;
 	hdr.fc.ack_request = wpan_dev->ackreq;
 	hdr.seq = atomic_inc_return(&dev->ieee802154_ptr->dsn) & 0xFF;
-- 
2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ