nfc/nci: Fix uninit-value issue in nci_ntf_packet

Message ID	ZwrENfTGYG9wnap0@fedora (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Received: from m16.mail.163.com (m16.mail.163.com [220.197.31.3]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EFE67ECF; Sat, 12 Oct 2024 18:48:15 +0000 (UTC) Date: Sun, 13 Oct 2024 02:47:17 +0800 From: Qianqiang Liu <qianqiang.liu@163.com> To: krzk@kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com, syzkaller-bugs@googlegroups.com, syzbot+3f8fa0edaa75710cd66e@syzkaller.appspotmail.com Subject: [PATCH] nfc/nci: Fix uninit-value issue in nci_ntf_packet Message-ID: <ZwrENfTGYG9wnap0@fedora> References: <ZwqEijEvP7tGGZtW@fedora> <670ab923.050a0220.3e960.0029.GAE@google.com> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <670ab923.050a0220.3e960.0029.GAE@google.com>
Series	nfc/nci: Fix uninit-value issue in nci_ntf_packet \| expand nfc/nci: Fix uninit-value issue in nci_ntf_packet

Message ID

ZwrENfTGYG9wnap0@fedora (mailing list archive)

State

Changes Requested

Delegated to:

Netdev Maintainers

Headers

Date: Sun, 13 Oct 2024 02:47:17 +0800
From: Qianqiang Liu <qianqiang.liu@163.com>
To: krzk@kernel.org
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	pabeni@redhat.com, syzkaller-bugs@googlegroups.com,
	syzbot+3f8fa0edaa75710cd66e@syzkaller.appspotmail.com
Subject: [PATCH] nfc/nci: Fix uninit-value issue in nci_ntf_packet
Message-ID: <ZwrENfTGYG9wnap0@fedora>
References: <ZwqEijEvP7tGGZtW@fedora>
 <670ab923.050a0220.3e960.0029.GAE@google.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <670ab923.050a0220.3e960.0029.GAE@google.com>

Series

nfc/nci: Fix uninit-value issue in nci_ntf_packet | expand

Commit Message

Qianqiang Liu Oct. 12, 2024, 6:47 p.m. UTC

When an unsupported rf_tech_and_mode (0xe6) occurs in nci_rf_discover_ntf_packet,
the ntf.ntf_type may be assigned an uninitialized value.

To resolve this, use the __GFP_ZERO flag when calling alloc_skb(),
ensuring that skb->data is properly initialized.

Reported-by: syzbot+3f8fa0edaa75710cd66e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3f8fa0edaa75710cd66e
Tested-by: syzbot+3f8fa0edaa75710cd66e@syzkaller.appspotmail.com
Signed-off-by: Qianqiang Liu <qianqiang.liu@163.com>
---
 drivers/nfc/virtual_ncidev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Krzysztof Kozlowski Oct. 16, 2024, 7:58 a.m. UTC | #1

On 12/10/2024 20:47, Qianqiang Liu wrote:
> When an unsupported rf_tech_and_mode (0xe6) occurs in nci_rf_discover_ntf_packet,
> the ntf.ntf_type may be assigned an uninitialized value.
> 
> To resolve this, use the __GFP_ZERO flag when calling alloc_skb(),
> ensuring that skb->data is properly initialized.
> 
> Reported-by: syzbot+3f8fa0edaa75710cd66e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3f8fa0edaa75710cd66e
> Tested-by: syzbot+3f8fa0edaa75710cd66e@syzkaller.appspotmail.com
> Signed-off-by: Qianqiang Liu <qianqiang.liu@163.com>

Do not attach (thread) your patchsets to some other threads (unrelated
or older versions). This buries them deep in the mailbox and might
interfere with applying entire sets.

> ---
>  drivers/nfc/virtual_ncidev.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/nfc/virtual_ncidev.c b/drivers/nfc/virtual_ncidev.c
> index 6b89d596ba9a..31da26287327 100644
> --- a/drivers/nfc/virtual_ncidev.c
> +++ b/drivers/nfc/virtual_ncidev.c
> @@ -117,7 +117,7 @@ static ssize_t virtual_ncidev_write(struct file *file,
>  	struct virtual_nci_dev *vdev = file->private_data;
>  	struct sk_buff *skb;
>  
> -	skb = alloc_skb(count, GFP_KERNEL);
> +	skb = alloc_skb(count, GFP_KERNEL | __GFP_ZERO);
>  	if (!skb)
>  		return -ENOMEM;

Same comments as before:

https://lore.kernel.org/all/20240803121817.383567-1-zhanghao1@kylinos.cn/

Respond to existing feedback, please.

Best regards,
Krzysztof

Qianqiang Liu Oct. 16, 2024, 8:35 a.m. UTC | #2

On Wed, Oct 16, 2024 at 09:58:53AM +0200, Krzysztof Kozlowski wrote:
> 
> Same comments as before:
> 
> https://lore.kernel.org/all/20240803121817.383567-1-zhanghao1@kylinos.cn/
> 
> Respond to existing feedback, please.
> 
> Best regards,
> Krzysztof

Got it, thanks!

diff --git a/drivers/nfc/virtual_ncidev.c b/drivers/nfc/virtual_ncidev.c
index 6b89d596ba9a..31da26287327 100644
--- a/drivers/nfc/virtual_ncidev.c
+++ b/drivers/nfc/virtual_ncidev.c
@@ -117,7 +117,7 @@  static ssize_t virtual_ncidev_write(struct file *file,
 	struct virtual_nci_dev *vdev = file->private_data;
 	struct sk_buff *skb;
 
-	skb = alloc_skb(count, GFP_KERNEL);
+	skb = alloc_skb(count, GFP_KERNEL | __GFP_ZERO);
 	if (!skb)
 		return -ENOMEM;