nfc: nci: Fix uninit-value in nci_rx_work()

Message ID	20240803121817.383567-1-zhanghao1@kylinos.cn (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8ABC1847B; Sat, 3 Aug 2024 12:19:33 +0000 (UTC) From: zhanghao <zhanghao1@kylinos.cn> To: bongsu.jeon@samsung.com, krzk@kernel.org Cc: syzbot+3da70a0abd7f5765b6ea@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, zhanghao <zhanghao1@kylinos.cn> Subject: [PATCH] nfc: nci: Fix uninit-value in nci_rx_work() Date: Sat, 3 Aug 2024 20:18:17 +0800 Message-Id: <20240803121817.383567-1-zhanghao1@kylinos.cn> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	nfc: nci: Fix uninit-value in nci_rx_work() \| expand nfc: nci: Fix uninit-value in nci_rx_work()

Message ID

20240803121817.383567-1-zhanghao1@kylinos.cn (mailing list archive)

State

Changes Requested

Delegated to:

Netdev Maintainers

Headers

From: zhanghao <zhanghao1@kylinos.cn>
To: bongsu.jeon@samsung.com,
	krzk@kernel.org
Cc: syzbot+3da70a0abd7f5765b6ea@syzkaller.appspotmail.com,
	linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org,
	zhanghao <zhanghao1@kylinos.cn>
Subject: [PATCH] nfc: nci: Fix uninit-value in nci_rx_work()
Date: Sat,  3 Aug 2024 20:18:17 +0800
Message-Id: <20240803121817.383567-1-zhanghao1@kylinos.cn>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

nfc: nci: Fix uninit-value in nci_rx_work() | expand

Context	Check	Description
netdev/series_format	warning	Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 29 this patch: 29
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	fail	1 blamed authors not CCed: kuba@kernel.org; 1 maintainers not CCed: kuba@kernel.org
netdev/build_clang	success	Errors and warnings before: 29 this patch: 29
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 29 this patch: 29
netdev/checkpatch	warning	CHECK: spaces preferred around that '\|' (ctx:VxV)
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	success	net-next-2024-08-05--12-00 (tests: 706)

Context

Check

Description

netdev/series_format

warning

Single patches do not need cover letters; Target tree name not specified in the subject

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 29 this patch: 29

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

fail

1 blamed authors not CCed: kuba@kernel.org; 1 maintainers not CCed: kuba@kernel.org

netdev/build_clang

success

Errors and warnings before: 29 this patch: 29

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 29 this patch: 29

netdev/checkpatch

warning

CHECK: spaces preferred around that '|' (ctx:VxV)

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

netdev/contest

success

net-next-2024-08-05--12-00 (tests: 706)

Commit Message

zhanghao Aug. 3, 2024, 12:18 p.m. UTC

Commit e624e6c3e777 ("nfc: Add a virtual nci device driver")
calls alloc_skb() with GFP_KERNEL as the argument flags.The
allocated heap memory was not initialized.This causes KMSAN
to detect an uninitialized value.

Reported-by: syzbot+3da70a0abd7f5765b6ea@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3da70a0abd7f5765b6ea
Fixes: e624e6c3e777 ("nfc: Add a virtual nci device driver")
Link: https://lore.kernel.org/all/000000000000747dd6061a974686@google.com/T/
Signed-off-by: zhanghao <zhanghao1@kylinos.cn>
---
 drivers/nfc/virtual_ncidev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


base-commit: 17712b7ea0756799635ba159cc773082230ed028

Comments

Simon Horman Aug. 4, 2024, 10:57 a.m. UTC | #1

On Sat, Aug 03, 2024 at 08:18:17PM +0800, zhanghao wrote:
> Commit e624e6c3e777 ("nfc: Add a virtual nci device driver")
> calls alloc_skb() with GFP_KERNEL as the argument flags.The
> allocated heap memory was not initialized.This causes KMSAN
> to detect an uninitialized value.
> 
> Reported-by: syzbot+3da70a0abd7f5765b6ea@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3da70a0abd7f5765b6ea

Hi,

I wonder if the problem reported above is caused by accessing packet
data which is past the end of what is copied in virtual_ncidev_write().
I.e. count is unusually short and this is not being detected.

> Fixes: e624e6c3e777 ("nfc: Add a virtual nci device driver")
> Link: https://lore.kernel.org/all/000000000000747dd6061a974686@google.com/T/
> Signed-off-by: zhanghao <zhanghao1@kylinos.cn>
> ---
>  drivers/nfc/virtual_ncidev.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/nfc/virtual_ncidev.c b/drivers/nfc/virtual_ncidev.c
> index 6b89d596ba9a..ae1592db131e 100644
> --- a/drivers/nfc/virtual_ncidev.c
> +++ b/drivers/nfc/virtual_ncidev.c
> @@ -117,7 +117,7 @@ static ssize_t virtual_ncidev_write(struct file *file,
>  	struct virtual_nci_dev *vdev = file->private_data;
>  	struct sk_buff *skb;
>  
> -	skb = alloc_skb(count, GFP_KERNEL);
> +	skb = alloc_skb(count, GFP_KERNEL|__GFP_ZERO);
>  	if (!skb)
>  		return -ENOMEM;

I'm not sure this helps wrt initialising the memory as immediately below there
is;

	if (copy_from_user(skb_put(skb, count), buf, count)) {
		...

Which I assume will initialise count bytes of skb data.

Krzysztof Kozlowski Aug. 5, 2024, 8:20 a.m. UTC | #2

On 04/08/2024 12:57, Simon Horman wrote:
> On Sat, Aug 03, 2024 at 08:18:17PM +0800, zhanghao wrote:
>> Commit e624e6c3e777 ("nfc: Add a virtual nci device driver")
>> calls alloc_skb() with GFP_KERNEL as the argument flags.The
>> allocated heap memory was not initialized.This causes KMSAN
>> to detect an uninitialized value.
>>
>> Reported-by: syzbot+3da70a0abd7f5765b6ea@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=3da70a0abd7f5765b6ea
> 
> Hi,
> 
> I wonder if the problem reported above is caused by accessing packet
> data which is past the end of what is copied in virtual_ncidev_write().
> I.e. count is unusually short and this is not being detected.
> 
>> Fixes: e624e6c3e777 ("nfc: Add a virtual nci device driver")
>> Link: https://lore.kernel.org/all/000000000000747dd6061a974686@google.com/T/
>> Signed-off-by: zhanghao <zhanghao1@kylinos.cn>
>> ---
>>  drivers/nfc/virtual_ncidev.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/nfc/virtual_ncidev.c b/drivers/nfc/virtual_ncidev.c
>> index 6b89d596ba9a..ae1592db131e 100644
>> --- a/drivers/nfc/virtual_ncidev.c
>> +++ b/drivers/nfc/virtual_ncidev.c
>> @@ -117,7 +117,7 @@ static ssize_t virtual_ncidev_write(struct file *file,
>>  	struct virtual_nci_dev *vdev = file->private_data;
>>  	struct sk_buff *skb;
>>  
>> -	skb = alloc_skb(count, GFP_KERNEL);
>> +	skb = alloc_skb(count, GFP_KERNEL|__GFP_ZERO);
>>  	if (!skb)
>>  		return -ENOMEM;
> 
> I'm not sure this helps wrt initialising the memory as immediately below there
> is;
> 
> 	if (copy_from_user(skb_put(skb, count), buf, count)) {
> 		...
> 
> Which I assume will initialise count bytes of skb data.

Yeah, this looks like hiding the real issue.

Best regards,
Krzysztof

zhanghao Aug. 8, 2024, 12:59 a.m. UTC | #3

On 04/08/2024 12:57, Simon Horman wrote:
> > On Sat, Aug 03, 2024 at 08:18:17PM +0800, zhanghao wrote:
> >> Commit e624e6c3e777 ("nfc: Add a virtual nci device driver")
> >> calls alloc_skb() with GFP_KERNEL as the argument flags.The
> >> allocated heap memory was not initialized.This causes KMSAN
> >> to detect an uninitialized value.
> >>
> >> Reported-by: syzbot+3da70a0abd7f5765b6ea@syzkaller.appspotmail.com
> >> Closes: https://syzkaller.appspot.com/bug?extid=3da70a0abd7f5765b6ea
> > 
> > Hi,
> > 
> > I wonder if the problem reported above is caused by accessing packet
> > data which is past the end of what is copied in virtual_ncidev_write().
> > I.e. count is unusually short and this is not being detected.
> > 
Yes, you're right.I debug the kernel and find that skb->data is " ".The 
length is less than 2.Using nci_plen to access skb->data in nci_rx_work()
triggers kmsan to detect access to uninitialized memory.
 
I wonder if I can use skb->len to determine length in the
nci_rx_work().I tested it and there was no problem.
 
> >> Fixes: e624e6c3e777 ("nfc: Add a virtual nci device driver")
> >> Link: https://lore.kernel.org/all/000000000000747dd6061a974686@google.com/T/
> >> Signed-off-by: zhanghao <zhanghao1@kylinos.cn>
> >> ---
> >>  drivers/nfc/virtual_ncidev.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/nfc/virtual_ncidev.c b/drivers/nfc/virtual_ncidev.c
> >> index 6b89d596ba9a..ae1592db131e 100644
> >> --- a/drivers/nfc/virtual_ncidev.c
> >> +++ b/drivers/nfc/virtual_ncidev.c
> >> @@ -117,7 +117,7 @@ static ssize_t virtual_ncidev_write(struct file *file,
> >>  	struct virtual_nci_dev *vdev = file->private_data;
> >>  	struct sk_buff *skb;
> >>  
> >> -	skb = alloc_skb(count, GFP_KERNEL);
> >> +	skb = alloc_skb(count, GFP_KERNEL|__GFP_ZERO);
> >>  	if (!skb)
> >>  		return -ENOMEM;
> > 
> > I'm not sure this helps wrt initialising the memory as immediately below there
> > is;
> > 
> > 	if (copy_from_user(skb_put(skb, count), buf, count)) {
> > 		...
> > 
> > Which I assume will initialise count bytes of skb data.
> 
> Yeah, this looks like hiding the real issue.
> 
> Best regards,
> Krzysztof

diff --git a/drivers/nfc/virtual_ncidev.c b/drivers/nfc/virtual_ncidev.c
index 6b89d596ba9a..ae1592db131e 100644
--- a/drivers/nfc/virtual_ncidev.c
+++ b/drivers/nfc/virtual_ncidev.c
@@ -117,7 +117,7 @@  static ssize_t virtual_ncidev_write(struct file *file,
 	struct virtual_nci_dev *vdev = file->private_data;
 	struct sk_buff *skb;
 
-	skb = alloc_skb(count, GFP_KERNEL);
+	skb = alloc_skb(count, GFP_KERNEL|__GFP_ZERO);
 	if (!skb)
 		return -ENOMEM;

nfc: nci: Fix uninit-value in nci_rx_work()

Checks

Commit Message

Comments

Patch