lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 13 Dec 2022 17:05:27 +0100
From:   Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
To:     Minsuk Kang <linuxlovemin@...sei.ac.kr>, netdev@...r.kernel.org
Cc:     linma@....edu.cn, davem@...emloft.net, sameo@...ux.intel.com,
        linville@...driver.com, dokyungs@...sei.ac.kr,
        jisoo.jang@...sei.ac.kr
Subject: Re: [PATCH net v2] nfc: pn533: Clear nfc_target before being used

On 13/12/2022 17:03, Minsuk Kang wrote:
> On Tue, Dec 13, 2022 at 03:41:36PM +0100, Krzysztof Kozlowski wrote:
>> On 13/12/2022 15:38, Krzysztof Kozlowski wrote:
>>> On 13/12/2022 15:27, Minsuk Kang wrote:
>>>> Fix a slab-out-of-bounds read that occurs in nla_put() called from
>>>> nfc_genl_send_target() when target->sensb_res_len, which is duplicated
>>>> from an nfc_target in pn533, is too large as the nfc_target is not
>>>> properly initialized and retains garbage values. Clear nfc_targets with
>>>> memset() before they are used.
>>>>
>>>> Found by a modified version of syzkaller.
>>>>
>>>> BUG: KASAN: slab-out-of-bounds in nla_put
>>>> Call Trace:
>>>>  memcpy
>>>>  nla_put
>>>>  nfc_genl_dump_targets
>>>>  genl_lock_dumpit
>>>>  netlink_dump
>>>>  __netlink_dump_start
>>>>  genl_family_rcv_msg_dumpit
>>>>  genl_rcv_msg
>>>>  netlink_rcv_skb
>>>>  genl_rcv
>>>>  netlink_unicast
>>>>  netlink_sendmsg
>>>>  sock_sendmsg
>>>>  ____sys_sendmsg
>>>>  ___sys_sendmsg
>>>>  __sys_sendmsg
>>>>  do_syscall_64
>>>>
>>>> Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
>>>> Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
>>>> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
>>>
>>> How did it happen? From where did you get it?
>>
>> I double checked - I did not send it. This is some fake tag. Please do
>> not add fake/invented/created tags with people's names.
> 
> Sorry for my confusion.
> 
> https://elixir.bootlin.com/linux/v5.17.1/source/Documentation/process/submitting-patches.rst#L505
> 
> I missed the definition of the tag as I did not read the document
> carefully and misunderstood that the tag simply means I have got a
> reply from maintainers and I should manually attach it if that is
> the case. I will rewrite the patch after I make sure I fully
> understand the whole rules.

The document says:
"By offering my Reviewed-by: tag, I state that:"

You need to receive it explicitly from the reviewer. Once received, but
only then, add to the patch.

Best regards,
Krzysztof

Powered by blists - more mailing lists