| Message ID | 20240213152414.3703-1-n.zhandarovich@fintech.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-63796-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:bc8a:b0:106:860b:bbdd with SMTP id
dn10csp611444dyb;
Tue, 13 Feb 2024 07:26:12 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IG4rOjs1uFUej0PkZJWulTuYkapmtR7nL0T6AM3B05e/b69hHU/aSN2tAPNaL+sSxwha57d
X-Received: by 2002:a05:6a20:c88b:b0:19e:a3cc:2496 with SMTP id
hb11-20020a056a20c88b00b0019ea3cc2496mr12180976pzb.10.1707837972750;
Tue, 13 Feb 2024 07:26:12 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707837972; cv=pass;
d=google.com; s=arc-20160816;
b=GNQDXftausmIrf0KN+ywRDi+ruIZv0WLKoVuWAEr6dXc0yV0dkFgfPYmaJryRj/pSe
K7/91blQ3QZkFz3PBRq17PjQnlF81a8UVEy1cDUIWu9DAbSR3qxEaIhfQeDhlSKVDKny
8cCPCM+XT5gXbHPqhCtLNJsap+Cdg26xljLiGd671QJVXHawFVsvnhFUWdtEqNRdNsRy
rUeeayiP/roEAFNOEgLaX81cvf2i3nzfgfwGz3gpXfUoE9OnGdHb+lInn/2uHKvBVbZp
LJCzRLWBsxoaxH2KWH2EJzqAlzhozGVubDPipfjimDifQ1Mn3CnTXZZEf4dRyYdooETf
0poA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:message-id:date:subject:cc:to
:from;
bh=hJxZk0WEEnfNHCMXepU1dZqKIcaXKWzHO5eL/SmKL5A=;
fh=6pqewFhQFEHmSZ9fFuBDJuRCf7Z/+TP8yCJN5vcFGrY=;
b=fGBJKBpvTkFSm+J2RnWm71TiTA1iUbC/HJ7OWZHRbOt1+87UO/Du76GMm/kjyARBbP
Y4PKNj/Lplp/SGrwKJGuJ3db9foEmXE519jURqBQ02LmNFDEIREXILsIHFE4UEFQ3/Gv
CY/hn5uWfMKFE61yAAGjJLSSvsB2sxzHO6E6IvBNSVG5SEVY6FGmPDcTRIGq6h6sdhnr
4t8jtnIfTF45Eo/cbVJinj1yEEn5DjllEm57LIZEWPrufeL817hhzI32ELVH/PN5i1rY
8eWBOum5hitp1MC9UPuEhSUdcdc92VUr4Pys0mzE4MChFc2kIUwfUEBG2BCzXfNz4CeU
VKZg==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
arc=pass (i=1 spf=pass spfdomain=fintech.ru);
spf=pass (google.com: domain of
linux-kernel+bounces-63796-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-63796-ouuuleilei=gmail.com@vger.kernel.org"
X-Forwarded-Encrypted: i=2;
AJvYcCUIYjGl08WjrvvdbFDuX+mLxggvDbGPu30NIAUTpuG6s4XdjiwcrfeBEXn5UX20rqvOHVjZJ1oENTNczbRJ2ngcdIeRrQ==
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
by mx.google.com with ESMTPS id
eb14-20020a056a004c8e00b006e06d739e54si7087600pfb.13.2024.02.13.07.26.12
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 13 Feb 2024 07:26:12 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-63796-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
arc=pass (i=1 spf=pass spfdomain=fintech.ru);
spf=pass (google.com: domain of
linux-kernel+bounces-63796-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-63796-ouuuleilei=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sv.mirrors.kernel.org (Postfix) with ESMTPS id 51BC0284283
for <ouuuleilei@gmail.com>; Tue, 13 Feb 2024 15:24:55 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 511BF5EE75;
Tue, 13 Feb 2024 15:24:35 +0000 (UTC)
Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id D64C75D902;
Tue, 13 Feb 2024 15:24:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=195.54.195.159
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1707837873; cv=none;
b=jN1XVInVt+IDSuoqDkojjr4l8WqktzTV8rSdNCYPXhch5iZJWNB9uTHpS9rEYMEliHk4J7MFTXtK999EjSvb8l4Gsa96oFKQwALlXUVZs2QHeYvE8mOSZeFxFQNoUB7KY6EnD/xOsnSKrKU5t29QOXZdY/rD4gfdjYyE8IHQwZg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1707837873; c=relaxed/simple;
bh=CwNvQx4cKxm4wTveQJa2fF9BF88LSILbE5saxxP+eqw=;
h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=F/iKuI7y2Tx+QDSFsr35EzvXa2uBbqET3fJGxfLlw26ZRPGh9ScS9JYaG6X++0e7BeerQmKcObFJa8O6ae4zwwXjEKERg8ULvVffvXLha3ddMxjiPWPT8rL0Vo/wyOQhyrlhLayGINkKUo5aDMjUEQMu5p1Ii1i9mU4In9298bU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=fintech.ru;
spf=pass smtp.mailfrom=fintech.ru; arc=none smtp.client-ip=195.54.195.159
Authentication-Results: smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=fintech.ru
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=fintech.ru
Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru
(195.54.195.169) with Microsoft SMTP Server (TLS) id 14.3.498.0; Tue, 13 Feb
2024 18:24:20 +0300
Received: from localhost (10.0.253.138) by Ex16-01.fintech.ru (10.0.10.18)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Tue, 13 Feb
2024 18:24:20 +0300
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
To: Alexander Aring <alex.aring@gmail.com>
CC: Nikita Zhandarovich <n.zhandarovich@fintech.ru>, Stefan Schmidt
<stefan@datenfreihafen.org>, Miquel Raynal <miquel.raynal@bootlin.com>,
"David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
<linux-wpan@vger.kernel.org>, <netdev@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <syzkaller-bugs@googlegroups.com>,
<syzbot+60a66d44892b66b56545@syzkaller.appspotmail.com>
Subject: [PATCH wpan] mac802154: fix uninit-value issue in
ieee802154_header_create()
Date: Tue, 13 Feb 2024 07:24:14 -0800
Message-ID: <20240213152414.3703-1-n.zhandarovich@fintech.ru>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru
(10.0.10.18)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1790797910141491978
X-GMAIL-MSGID: 1790797910141491978
|
| Series |
[wpan] mac802154: fix uninit-value issue in ieee802154_header_create()
|
|
Commit Message
Nikita Zhandarovich
Feb. 13, 2024, 3:24 p.m. UTC
Syzkaller with KMSAN reported [1] a problem with uninitialized value
access in ieee802154_header_create().
The issue arises from a weird combination of cb->secen == 1 and
cb->secen_override == 0, while other required security parameters
are not found enabled in mac802154_set_header_security().
Ideally such case is expected to be caught by starting check at the
beginning of mac802154_set_header_security():
if (!params.enabled && cb->secen_override && cb->secen)
return -EINVAL;
However, since secen_override is zero, the function in question
passes this check and returns with success early, without having
set values to ieee802154_sechdr fields such as key_id_mode. This in
turn leads to uninitialized access of such values in
ieee802154_hdr_push_sechdr() and other places.
Fix this problem by only checking for secen value and presence of
security parameters (and ignoring secen_override). Exit early with
error if necessary requirements are not met.
[1]
BUG: KMSAN: uninit-value in ieee802154_hdr_push_sechdr net/ieee802154/header_ops.c:54 [inline]
BUG: KMSAN: uninit-value in ieee802154_hdr_push+0x971/0xb90 net/ieee802154/header_ops.c:108
ieee802154_hdr_push_sechdr net/ieee802154/header_ops.c:54 [inline]
ieee802154_hdr_push+0x971/0xb90 net/ieee802154/header_ops.c:108
ieee802154_header_create+0x9c0/0xc00 net/mac802154/iface.c:396
wpan_dev_hard_header include/net/cfg802154.h:494 [inline]
dgram_sendmsg+0xd1d/0x1500 net/ieee802154/socket.c:677
ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Local variable hdr created at:
ieee802154_header_create+0x4e/0xc00 net/mac802154/iface.c:360
wpan_dev_hard_header include/net/cfg802154.h:494 [inline]
dgram_sendmsg+0xd1d/0x1500 net/ieee802154/socket.c:677
Fixes: f30be4d53cad ("mac802154: integrate llsec with wpan devices")
Reported-and-tested-by: syzbot+60a66d44892b66b56545@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=60a66d44892b66b56545
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
---
P.S. Link to previous similar discussion:
https://lore.kernel.org/all/tencent_1C04CA8D66ADC45608D89687B4020B2A8706@qq.com/
P.P.S. This issue may affect stable versions, at least up to 6.1.
net/mac802154/iface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Hi, On Tue, Feb 13, 2024 at 10:24 AM Nikita Zhandarovich <n.zhandarovich@fintech.ru> wrote: > > Syzkaller with KMSAN reported [1] a problem with uninitialized value > access in ieee802154_header_create(). > > The issue arises from a weird combination of cb->secen == 1 and > cb->secen_override == 0, while other required security parameters > are not found enabled in mac802154_set_header_security(). > In case of cb->secen is 1 and cb->secen_override is 0 mac802154_set_header_security() should depend on the ieee802154_llsec_params params. As [0] WPAN_SECURITY_DEFAULT signals this behaviour. > Ideally such case is expected to be caught by starting check at the > beginning of mac802154_set_header_security(): > > if (!params.enabled && cb->secen_override && cb->secen) > return -EINVAL; > > However, since secen_override is zero, the function in question > passes this check and returns with success early, without having > set values to ieee802154_sechdr fields such as key_id_mode. This in > turn leads to uninitialized access of such values in > ieee802154_hdr_push_sechdr() and other places. > > Fix this problem by only checking for secen value and presence of > security parameters (and ignoring secen_override). Exit early with > error if necessary requirements are not met. > > [1] > BUG: KMSAN: uninit-value in ieee802154_hdr_push_sechdr net/ieee802154/header_ops.c:54 [inline] > BUG: KMSAN: uninit-value in ieee802154_hdr_push+0x971/0xb90 net/ieee802154/header_ops.c:108 > ieee802154_hdr_push_sechdr net/ieee802154/header_ops.c:54 [inline] > ieee802154_hdr_push+0x971/0xb90 net/ieee802154/header_ops.c:108 > ieee802154_header_create+0x9c0/0xc00 net/mac802154/iface.c:396 > wpan_dev_hard_header include/net/cfg802154.h:494 [inline] > dgram_sendmsg+0xd1d/0x1500 net/ieee802154/socket.c:677 > ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 > sock_sendmsg_nosec net/socket.c:730 [inline] > __sock_sendmsg net/socket.c:745 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 > __sys_sendmsg net/socket.c:2667 [inline] > __do_sys_sendmsg net/socket.c:2676 [inline] > __se_sys_sendmsg net/socket.c:2674 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x63/0x6b > > Local variable hdr created at: > ieee802154_header_create+0x4e/0xc00 net/mac802154/iface.c:360 > wpan_dev_hard_header include/net/cfg802154.h:494 [inline] > dgram_sendmsg+0xd1d/0x1500 net/ieee802154/socket.c:677 > > Fixes: f30be4d53cad ("mac802154: integrate llsec with wpan devices") > Reported-and-tested-by: syzbot+60a66d44892b66b56545@syzkaller.appspotmailcom > Closes: https://syzkaller.appspot.com/bug?extid=60a66d44892b66b56545 > Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> > --- > P.S. Link to previous similar discussion: > https://lore.kernel.org/all/tencent_1C04CA8D66ADC45608D89687B4020B2A8706@qq.com/ > P.P.S. This issue may affect stable versions, at least up to 6.1. > > net/mac802154/iface.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c > index c0e2da5072be..ad799d349625 100644 > --- a/net/mac802154/iface.c > +++ b/net/mac802154/iface.c > @@ -328,7 +328,7 @@ static int mac802154_set_header_security(struct ieee802154_sub_if_data *sdata, > > mac802154_llsec_get_params(&sdata->sec, ¶ms); > > - if (!params.enabled && cb->secen_override && cb->secen) > + if (!params.enabled && cb->secen) > return -EINVAL; > if (!params.enabled || > (cb->secen_override && !cb->secen) || > I think there is just a missing check if (!cb->secen_override) then use whatever mac802154_llsec_get_params() says and ignore secen_enabled. Also I think that we don't init those socket parameters to any value at [1] so it's completely random what values are at socket creation. - Alex [0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ieee802154/socket.c?h=v6.8-rc5#n911 [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ieee802154/socket.c?h=v6.8-rc5#n474
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c index c0e2da5072be..ad799d349625 100644 --- a/net/mac802154/iface.c +++ b/net/mac802154/iface.c @@ -328,7 +328,7 @@ static int mac802154_set_header_security(struct ieee802154_sub_if_data *sdata, mac802154_llsec_get_params(&sdata->sec, ¶ms); - if (!params.enabled && cb->secen_override && cb->secen) + if (!params.enabled && cb->secen) return -EINVAL; if (!params.enabled || (cb->secen_override && !cb->secen) ||