lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Dec 2022 17:05:27 +0100 From: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org> To: Minsuk Kang <linuxlovemin@...sei.ac.kr>, netdev@...r.kernel.org Cc: linma@....edu.cn, davem@...emloft.net, sameo@...ux.intel.com, linville@...driver.com, dokyungs@...sei.ac.kr, jisoo.jang@...sei.ac.kr Subject: Re: [PATCH net v2] nfc: pn533: Clear nfc_target before being used On 13/12/2022 17:03, Minsuk Kang wrote: > On Tue, Dec 13, 2022 at 03:41:36PM +0100, Krzysztof Kozlowski wrote: >> On 13/12/2022 15:38, Krzysztof Kozlowski wrote: >>> On 13/12/2022 15:27, Minsuk Kang wrote: >>>> Fix a slab-out-of-bounds read that occurs in nla_put() called from >>>> nfc_genl_send_target() when target->sensb_res_len, which is duplicated >>>> from an nfc_target in pn533, is too large as the nfc_target is not >>>> properly initialized and retains garbage values. Clear nfc_targets with >>>> memset() before they are used. >>>> >>>> Found by a modified version of syzkaller. >>>> >>>> BUG: KASAN: slab-out-of-bounds in nla_put >>>> Call Trace: >>>> memcpy >>>> nla_put >>>> nfc_genl_dump_targets >>>> genl_lock_dumpit >>>> netlink_dump >>>> __netlink_dump_start >>>> genl_family_rcv_msg_dumpit >>>> genl_rcv_msg >>>> netlink_rcv_skb >>>> genl_rcv >>>> netlink_unicast >>>> netlink_sendmsg >>>> sock_sendmsg >>>> ____sys_sendmsg >>>> ___sys_sendmsg >>>> __sys_sendmsg >>>> do_syscall_64 >>>> >>>> Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection") >>>> Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533") >>>> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org> >>> >>> How did it happen? From where did you get it? >> >> I double checked - I did not send it. This is some fake tag. Please do >> not add fake/invented/created tags with people's names. > > Sorry for my confusion. > > https://elixir.bootlin.com/linux/v5.17.1/source/Documentation/process/submitting-patches.rst#L505 > > I missed the definition of the tag as I did not read the document > carefully and misunderstood that the tag simply means I have got a > reply from maintainers and I should manually attach it if that is > the case. I will rewrite the patch after I make sure I fully > understand the whole rules. The document says: "By offering my Reviewed-by: tag, I state that:" You need to receive it explicitly from the reviewer. Once received, but only then, add to the patch. Best regards, Krzysztof
Powered by blists - more mailing lists