| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20221213142053.GA107908@medve-MS-7D32>
Date: Tue, 13 Dec 2022 23:20:53 +0900
From: Minsuk Kang <linuxlovemin@...sei.ac.kr>
To: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>,
netdev@...r.kernel.org
Cc: linma@....edu.cn, davem@...emloft.net, sameo@...ux.intel.com,
dokyungs@...sei.ac.kr, jisoo.jang@...sei.ac.kr,
Minsuk Kang <linuxlovemin@...sei.ac.kr>
Subject: Re: Re: [PATCH net] nfc: pn533: Clear nfc_target in
pn533_poll_dep_complete() before being used
On Tue, Dec 13, 2022 at 11:45:53AM +0100, Krzysztof Kozlowski wrote:
> > This patch fixes a slab-out-of-bounds read in pn533 that occurs in
>
> Do not use "This commit/patch".
> https://elixir.bootlin.com/linux/v5.17.1/source/Documentation/process/submitting-patches.rst#L95
>
> > nla_put() called from nfc_genl_send_target() when target->sensb_res_len,
> > which is duplicated from nfc_target in pn533_poll_dep_complete(), is
> > too large as the nfc_target is not properly initialized and retains
> > garbage values. The patch clears the nfc_target before it is used.
>
> Same here
>
> >
> > Found by a modified version of syzkaller.
> >
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in nla_put+0xe0/0x120
> > Read of size 94 at addr ffff888109d1dfa0 by task syz-executor/4367
> >
> > CPU: 0 PID: 4367 Comm: syz-executor Not tainted 5.14.0+ #171
[snip]
> > Memory state around the buggy address:
> > ffff888109d1de80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> > ffff888109d1df00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
> >> ffff888109d1df80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
> > ^
> > ffff888109d1e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ffff888109d1e080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> Drop unrelated pieces of OOPS and keep only things which are relevant.
>
Thank you for the comments. I will update the commit message as advised
in v2.
> > ==================================================================
> >
> > Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
> > Reported-by: Dokyung Song <dokyungs@...sei.ac.kr>
> > Reported-by: Jisoo Jang <jisoo.jang@...sei.ac.kr>
> > Reported-by: Minsuk Kang <linuxlovemin@...sei.ac.kr>
>
> Reported-by is for crediting other people, not crediting yourself.
> Otherwise all my patches would be reported-by, right? Please drop this
> one and keep only credit for other people who actually reported it. It's
> anyway weird to see three people reporting one bug.
>
> Additionally I really dislike private reports because they sometimes
> cannot be trusted (see all the fake report credits from running
> coccinelle by Hulk Robot and others)... Care to provide link to the
> reports of this bug?
>
My intention was to credit all the people contributed to the
modification of syzkaller that led to this bug. But I will drop them in
v2.
> > Signed-off-by: Minsuk Kang <linuxlovemin@...sei.ac.kr>
> > ---
> > drivers/nfc/pn533/pn533.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
> > index d9f6367b9993..c6a611622668 100644
> > --- a/drivers/nfc/pn533/pn533.c
> > +++ b/drivers/nfc/pn533/pn533.c
> > @@ -1295,6 +1295,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg,
> > if (IS_ERR(resp))
> > return PTR_ERR(resp);
> >
> > + memset(&nfc_target, 0, sizeof(struct nfc_target));
>
> There is one more place to fix in pn533_in_dep_link_up_complete()
Thank you. I will add a fix for it in v2.
Best regards,
Minsuk
Powered by blists - more mailing lists