[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231204095718.40ccb1ee@xps-13>
Date: Mon, 4 Dec 2023 09:57:18 +0100
From: Miquel Raynal <miquel.raynal@...tlin.com>
To: Zhang Shurong <zhang_shurong@...mail.com>
Cc: alex.aring@...il.com, stefan@...enfreihafen.org, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
linux-wpan@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, harperchen1110@...il.com
Subject: Re: [PATCH RESEND] mac802154: Fix uninit-value access in
ieee802154_hdr_push_sechdr
Hi Zhang,
zhang_shurong@...mail.com wrote on Sat, 2 Dec 2023 22:58:52 +0800:
> The syzkaller reported an issue:
Subject should start with [PATCH wpan]
>
> BUG: KMSAN: uninit-value in ieee802154_hdr_push_sechdr net/ieee802154/header_ops.c:54 [inline]
> BUG: KMSAN: uninit-value in ieee802154_hdr_push+0x971/0xb90 net/ieee802154/header_ops.c:108
> ieee802154_hdr_push_sechdr net/ieee802154/header_ops.c:54 [inline]
> ieee802154_hdr_push+0x971/0xb90 net/ieee802154/header_ops.c:108
> ieee802154_header_create+0x9c0/0xc00 net/mac802154/iface.c:396
> wpan_dev_hard_header include/net/cfg802154.h:494 [inline]
> dgram_sendmsg+0xd1d/0x1500 net/ieee802154/socket.c:677
> ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
> sock_sendmsg_nosec net/socket.c:725 [inline]
> sock_sendmsg net/socket.c:748 [inline]
> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2494
> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2548
> __sys_sendmsg+0x225/0x3c0 net/socket.c:2577
> __compat_sys_sendmsg net/compat.c:346 [inline]
> __do_compat_sys_sendmsg net/compat.c:353 [inline]
> __se_compat_sys_sendmsg net/compat.c:350 [inline]
>
> We found hdr->key_id_mode is uninitialized in mac802154_set_header_security()
> which indicates hdr.fc.security_enabled should be 0. However, it is set to be cb->secen before.
> Later, ieee802154_hdr_push_sechdr is invoked, causing KMSAN complains uninit-value issue.
I am not too deeply involved in the security header but for me it feels
like your patch does the opposite of what's needed. We should maybe
initialize hdr->key_id_mode based on the value in cb->secen, no? (maybe
Alexander will have a better understanding than I have).
> Since mac802154_set_header_security() sets hdr.fc.security_enabled based on the variables
> ieee802154_sub_if_data *sdata and ieee802154_mac_cb *cb in a collaborative manner.
> Therefore, we should not set security_enabled prior to mac802154_set_header_security().
>
> Fixed it by removing the line that sets the hdr.fc.security_enabled.
>
> Syzkaller don't provide repro, and I provide a syz repro like:
> r0 = syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
> setsockopt$WPAN_SECURITY(r0, 0x0, 0x1, &(0x7f0000000000)=0x2, 0x4)
> setsockopt$WPAN_SECURITY(r0, 0x0, 0x1, &(0x7f0000000080), 0x4)
> sendmsg$802154_dgram(r0, &(0x7f0000000100)={&(0x7f0000000040)={0x24, @short}, 0x14, &(0x7f00000000c0)={0x0}}, 0x0)
>
> Fixes: 32edc40ae65c ("ieee802154: change _cb handling slightly")
> Signed-off-by: Zhang Shurong <zhang_shurong@...mail.com>
> ---
This is a resend, a message in a shortlog to express why is welcome. If
it's a ping, then no need to resend.
> net/mac802154/iface.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
> index c0e2da5072be..c99b6e40a5db 100644
> --- a/net/mac802154/iface.c
> +++ b/net/mac802154/iface.c
> @@ -368,7 +368,6 @@ static int ieee802154_header_create(struct sk_buff *skb,
>
> memset(&hdr.fc, 0, sizeof(hdr.fc));
> hdr.fc.type = cb->type;
> - hdr.fc.security_enabled = cb->secen;
> hdr.fc.ack_request = cb->ackreq;
> hdr.seq = atomic_inc_return(&dev->ieee802154_ptr->dsn) & 0xFF;
>
Thanks,
Miquèl
Powered by blists - more mailing lists