Re: [PATCH net v2] nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
From: Krzysztof Kozlowski
Date: Fri Mar 22 2024 - 02:14:53 EST
On 20/03/2024 01:54, Ryosuke Yasuoka wrote:
> syzbot reported the following uninit-value access issue [1][2]:
>
> nci_rx_work() parses and processes received packet. When the payload
> length is zero, each message type handler reads uninitialized payload
> and KMSAN detects this issue. The receipt of a packet with a zero-size
> payload is considered unexpected, and therefore, such packets should be
> silently discarded.
>
> This patch resolved this issue by checking payload size before calling
> each message type handler codes.
>
> Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
> Reported-and-tested-by: syzbot+7ea9413ea6749baf5574@xxxxxxxxxxxxxxxxxxxxxxxxx
> Reported-and-tested-by: syzbot+29b5ca705d2e0f4a44d2@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=7ea9413ea6749baf5574 [1]
> Closes: https://syzkaller.appspot.com/bug?extid=29b5ca705d2e0f4a44d2 [2]
> Signed-off-by: Ryosuke Yasuoka <ryasuoka@xxxxxxxxxx>
> ---
>
> v2
> - Fix typo in commit message
> - Remove Call Trace from commit message that syzbot reported. Make it
> shorter than the previous version.
> - Check the payload length in earlier code path. And it can address
> another reported syzbot bug too. [2]
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxx>
Best regards,
Krzysztof