Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3693041rwa; Tue, 23 Aug 2022 08:36:17 -0700 (PDT) X-Google-Smtp-Source: AA6agR5iVx4KeHU21HpPudR+ZCEswkk6dPPiopWL9ZKa2+aXtZSofUkBz4j+i2SR6F1VbQ8T8RLj X-Received: by 2002:a17:90b:4f4e:b0:1f5:8a65:9192 with SMTP id pj14-20020a17090b4f4e00b001f58a659192mr3728479pjb.224.1661268977655; Tue, 23 Aug 2022 08:36:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661268977; cv=none; d=google.com; s=arc-20160816; b=sKmxwwuJD/cHaxuSQgT2mx44HpO6KWG0g+pmbhKjalCGnURzABzRdkAf3cCFPepY03 UIMl/1KGmWGXEvOHkBFjfm6oNWVs3KZTrnCIPcP/foAqfWmpz2B8eO2hek9+1ipsveRo wiEIUR2Kb/8uDObtELOgYTp9mwBn9HAO9pUEgKKhkzAs7BL5TC6/7dB0iiClvtdBay9Z qDwooz50Kap9uqo3qqxAgM7k4IS+Bqch5zunMkLmjHU/55fpsqHvvlWwbxjpdtwTJeC6 OHy1rOW6pCSNeYTsANViwoNzCx0sBPRB7Jaz2dk8MGPZCsbgBtE2TCmA5Pm+ALG2kVXU CuCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=rBRONIqnt4E6MBax+RN8UNcJe1L53HfRKZaqNtIx+8M=; b=tpWWLLXd4DNlw6ZEMkwItymECpz6rzjXEDLbwaQTGD+kULcPsUL6/braZ5f2srfXGR 2uhCociJHCePCB0/+a8KmiahvnQnWSlkozmkZrmrvSzglsUCPvb54+Bpq1dtTAGUFUQh ivVF7Q+zhp7tRLeUmL7bEnS7RnEe+3ddB86v022R6Hps/RWG+/fN8wqZco+cYuubdGOK 3wkDvaRviynlWSl9u3wWioOibLYB/RxxoYneDD7GIpEknFAiisza/R23s3oKBaweTGU9 p2XpK2VwrK673YwmeH6OoOappNuzzNRJ4SWPwwc0wrFnHqHT1jRivkQxtEzX+0bYvWwg KGfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GsdQG1FJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t26-20020a63445a000000b0041cc1c460cfsi15202797pgk.126.2022.08.23.08.36.05; Tue, 23 Aug 2022 08:36:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GsdQG1FJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242769AbiHWO5p (ORCPT + 99 others); Tue, 23 Aug 2022 10:57:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243042AbiHWO5a (ORCPT ); Tue, 23 Aug 2022 10:57:30 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 549E230829E for ; Tue, 23 Aug 2022 05:22:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661257346; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=rBRONIqnt4E6MBax+RN8UNcJe1L53HfRKZaqNtIx+8M=; b=GsdQG1FJs3UY4S53yBmeY0EwRTaVfgsKFnuggOYAKNi8eXLm+ycT/Nc+52ZYcdhPSRmmlP 3TNDNCb22Fos5J3sM0jDa5TPugACbyDBw/LWBCvYRfQ4KZtQuig10JfWruL5gmm87RBaqQ ioYuJvPXqaYV+YlHAaFD0PzNOhAkgew= Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-495-51P4_ZG9OF6QLmn6ucQ6QA-1; Tue, 23 Aug 2022 08:22:24 -0400 X-MC-Unique: 51P4_ZG9OF6QLmn6ucQ6QA-1 Received: by mail-qt1-f200.google.com with SMTP id o22-20020ac85a56000000b0034481129ce6so10462494qta.19 for ; Tue, 23 Aug 2022 05:22:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=rBRONIqnt4E6MBax+RN8UNcJe1L53HfRKZaqNtIx+8M=; b=jCL7ttntQCKZjN9IHr734OZOWA2fZ8j0TExHCVLD/5Xm7RqrbyTBtY/U4NhkGhbhKP zxm6oxnXJuknZgF/JPCC6s8rlVPbg7i0ryq2K0jI271fTdIKTdlv9DfrgkGX3Dbg0TpD eLqXXkhVZ1TQS+Hz3gW6NpPD6fDs+NKDJ4efvmP94fLuw69ElRS8VDJ5OJjbv/hBk6Kn f2jlBCxAi9xuDgH6aGQLb4zf0fDFTXkudyEFdBmumsyjIYoWqvO4PzxeO+1hJDXXtDHo XfwlCSNFZMw2Rfr8AUqmbV8czyzZk2SxSH3EvorYkdpGnrK7rozeJgu1txmrKyuGClzk ZnnA== X-Gm-Message-State: ACgBeo3jf62ZMGBl+mq9t5SWD3nkiYw1sJWrkQ1vrD1iXLcEOIivJN9C RCCJ4mK82SJajji6rfp01b1ga3BgsCH6Uy7EnUGAM3pAuf71r1VhXUumLnRCNIJR+8xmrPIRgJR isyioxMUYgqfAdePvpVHt+7krntld+3Z3gdYbiPzm X-Received: by 2002:a05:622a:4cd:b0:343:65a4:e212 with SMTP id q13-20020a05622a04cd00b0034365a4e212mr18592698qtx.526.1661257344329; Tue, 23 Aug 2022 05:22:24 -0700 (PDT) X-Received: by 2002:a05:622a:4cd:b0:343:65a4:e212 with SMTP id q13-20020a05622a04cd00b0034365a4e212mr18592683qtx.526.1661257344138; Tue, 23 Aug 2022 05:22:24 -0700 (PDT) MIME-Version: 1.0 References: <20220822071902.3419042-1-tcs_kernel@tencent.com> In-Reply-To: From: Alexander Aring Date: Tue, 23 Aug 2022 08:22:13 -0400 Message-ID: Subject: Re: [PATCH] net/ieee802154: fix uninit value bug in dgram_sendmsg To: Stefan Schmidt Cc: Haimin Zhang , Alexander Aring , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-wpan - ML , Network Development , Linux Kernel Mailing List , Haimin Zhang Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Tue, Aug 23, 2022 at 5:42 AM Stefan Schmidt wrote: > > Hello. > > On 22.08.22 09:19, Haimin Zhang wrote: > > There is uninit value bug in dgram_sendmsg function in > > net/ieee802154/socket.c when the length of valid data pointed by the > > msg->msg_name isn't verified. > > > > This length is specified by msg->msg_namelen. Function > > ieee802154_addr_from_sa is called by dgram_sendmsg, which use > > msg->msg_name as struct sockaddr_ieee802154* and read it, that will > > eventually lead to uninit value read. So we should check the length of > > msg->msg_name is not less than sizeof(struct sockaddr_ieee802154) > > before entering the ieee802154_addr_from_sa. > > > > Signed-off-by: Haimin Zhang > > > This patch has been applied to the wpan tree and will be > part of the next pull request to net. Thanks! For me this patch is buggy or at least it is questionable how to deal with the size of ieee802154_addr_sa here. There should be a helper to calculate the size which depends on the addr_type field. It is not required to send the last 6 bytes if addr_type is IEEE802154_ADDR_SHORT. Nitpick is that we should check in the beginning of that function. - Alex