Re: [PATCH net v2] nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
From: Jeremy Cline
Date: Wed Mar 20 2024 - 10:13:14 EST
On Tue, Mar 19, 2024, at 8:54 PM, Ryosuke Yasuoka wrote:
> syzbot reported the following uninit-value access issue [1][2]:
>
> nci_rx_work() parses and processes received packet. When the payload
> length is zero, each message type handler reads uninitialized payload
> and KMSAN detects this issue. The receipt of a packet with a zero-size
> payload is considered unexpected, and therefore, such packets should be
> silently discarded.
>
> This patch resolved this issue by checking payload size before calling
> each message type handler codes.
>
> Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
> Reported-and-tested-by: syzbot+7ea9413ea6749baf5574@xxxxxxxxxxxxxxxxxxxxxxxxx
> Reported-and-tested-by: syzbot+29b5ca705d2e0f4a44d2@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=7ea9413ea6749baf5574 [1]
> Closes: https://syzkaller.appspot.com/bug?extid=29b5ca705d2e0f4a44d2 [2]
> Signed-off-by: Ryosuke Yasuoka <ryasuoka@xxxxxxxxxx>
> ---
For what it's worth,
Reviewed-by: Jeremy Cline <jeremy@xxxxxxxxxx>