| Message ID | 20210330172253.10076-1-alaaemadhossney.ae@gmail.com (mailing list archive) |
|---|---|
| State | Rejected |
| Delegated to: | Johannes Berg |
| Headers | show |
| Series | [v2] wireless/nl80211.c: fix uninitialized variable | expand |
On 3/30/21 7:22 PM, Alaa Emad wrote: > This change fix KMSAN uninit-value in net/wireless/nl80211.c:225 , That > because of `fixedlen` variable uninitialized,So I initialized it by zero. > > Reported-by: syzbot+72b99dcf4607e8c770f3@syzkaller.appspotmail.com > Signed-off-by: Alaa Emad <alaaemadhossney.ae@gmail.com> > --- > Changes in v2: > - Make the commit message more clearer. > --- > net/wireless/nl80211.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > index 775d0c4d86c3..b87ab67ad33d 100644 > --- a/net/wireless/nl80211.c > +++ b/net/wireless/nl80211.c > @@ -210,7 +210,7 @@ static int validate_beacon_head(const struct nlattr *attr, > const struct element *elem; > const struct ieee80211_mgmt *mgmt = (void *)data; > bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control); > - unsigned int fixedlen, hdrlen; > + unsigned int fixedlen = 0, hdrlen; > > if (s1g_bcn) { > fixedlen = offsetof(struct ieee80211_ext, > What was the report exactly ? Current code does : unsigned int fixedlen; if (s1g_bcn) { fixedlen = something1; ... else { fixedlen = something2; ... } So your patch does nothing. Initial value of @fixedlen is not relevant. Reading this code (without access to KMSAN report) I suspect the issue is more like the following : diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 775d0c4d86c3..d815261917ff 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -209,9 +209,12 @@ static int validate_beacon_head(const struct nlattr *attr, unsigned int len = nla_len(attr); const struct element *elem; const struct ieee80211_mgmt *mgmt = (void *)data; - bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control); unsigned int fixedlen, hdrlen; + bool s1g_bcn; + if (len < offsetofend(typeof(*mgmt), frame_control)) + goto err; + s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control); if (s1g_bcn) { fixedlen = offsetof(struct ieee80211_ext, u.s1g_beacon.variable);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 775d0c4d86c3..b87ab67ad33d 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -210,7 +210,7 @@ static int validate_beacon_head(const struct nlattr *attr, const struct element *elem; const struct ieee80211_mgmt *mgmt = (void *)data; bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control); - unsigned int fixedlen, hdrlen; + unsigned int fixedlen = 0, hdrlen; if (s1g_bcn) { fixedlen = offsetof(struct ieee80211_ext,
This change fix KMSAN uninit-value in net/wireless/nl80211.c:225 , That because of `fixedlen` variable uninitialized,So I initialized it by zero. Reported-by: syzbot+72b99dcf4607e8c770f3@syzkaller.appspotmail.com Signed-off-by: Alaa Emad <alaaemadhossney.ae@gmail.com> --- Changes in v2: - Make the commit message more clearer. --- net/wireless/nl80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)