Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp3918848rwe; Tue, 30 Aug 2022 00:45:38 -0700 (PDT) X-Google-Smtp-Source: AA6agR7te89jMlxwTp+tESZYA+ZCQvVA9SwWPPWYALMNZOwpzVgEfXpVykRa/xehGgtyrWVHGTsm X-Received: by 2002:a17:902:e94c:b0:171:3df0:c886 with SMTP id b12-20020a170902e94c00b001713df0c886mr20782758pll.39.1661845538382; Tue, 30 Aug 2022 00:45:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661845538; cv=none; d=google.com; s=arc-20160816; b=Jd18/vW0p4sYjtC9d+bKxSviaVBr04B74ufZB7Or6u/Ezf4JgOpur5PzuZW8aU6qum 2BWOtYsVtTyARNPu3+JiXmQD5pE4ZJvFpAV57aareny1ESw+XMIGRH84MvhwTaNPqCEa nysnX3NL6ELl5F3bSuVN26MmLydcCy41Dh/R287debjXPK9aw7fzm8BLjYovW3u6h75y rBPutjWZZf/HXQrvE4RaA6mvMHs1gnVMQFYSJEM+r3quu1LnxwUB9ptQ/29PZ3zcNClK d2fDl1C8S0/Z4nXqJgL8RX8xZXZd+N92Ea+T5IBq+27FZMz/x3lRB35SCUb1S39b3mLm mqUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=kYWohH57HrtiR3G5jR/2fpi0CaMLK4KnxnOm/MXWrNQ=; b=nUfjmGeYeTuvrzC813BfSM3VMEqjsjtjFi4gBBgLuPJttDZ7lgAI6oqLn6DVlf1nWA 3MTB2nma2KmX37tAd46GIWc03x6kUXPf57+/Zi86YHfcqofOhZj9AQvhz1Vg/nOTU6tw uuUFOStQBVXmhuEpVcqC6FhuTi5/9Ei1V6feIaHfNN5sFU9a9buqZJ+HQNaywM7UMeMu xp8v5JOkpDnOcpd3Zk3fj0LqRV04waz2k3EclD/uoK6qHny/tAeXrnVma94c1/+cZIlL eLlaZsPqQ0pbflUw2LKWIY8MqBgkxr9sFfSMHo42hMMbMpFSyI2kexaDwQ0XODgTERdY yMEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=kAI1RG3r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t4-20020a17090a950400b001f28dc085bfsi10871199pjo.115.2022.08.30.00.45.27; Tue, 30 Aug 2022 00:45:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=kAI1RG3r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230386AbiH3HFT (ORCPT + 99 others); Tue, 30 Aug 2022 03:05:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230370AbiH3HFR (ORCPT ); Tue, 30 Aug 2022 03:05:17 -0400 Received: from mail-oa1-x33.google.com (mail-oa1-x33.google.com [IPv6:2001:4860:4864:20::33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94E622CCA2; Tue, 30 Aug 2022 00:05:14 -0700 (PDT) Received: by mail-oa1-x33.google.com with SMTP id 586e51a60fabf-11f34610d4aso3906859fac.9; Tue, 30 Aug 2022 00:05:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=kYWohH57HrtiR3G5jR/2fpi0CaMLK4KnxnOm/MXWrNQ=; b=kAI1RG3rQl+TxxWuck7+8J10qVbuA1PCMdmiOGcOubN8F+pjSnkDLe0AMOwkjl11H1 zxmyPbe0DM2OZLG6gfScChP7iWhMKwe7YOWTW+cnhSKUx37T5lMN+UxJZ1dE3VPlNdTL YtxYrizahOv0tio3ymXn1oLxtUu3aJyMKSeAwvN+/gUbqJxWSu5TFNbCyDQ9T98+l55e exHKjFuVbSDAzbQi+z7KT0vniQCNVs+S0cWezfLEVUW/ovAxmZFLFSxv/0kleUDB468Z tSTvcZSryEkOvg66sPufpHBozSsi/CV05ZSNSmzqaWWurRKPJEcmeI71Zh4qsq6SpwnJ B1rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=kYWohH57HrtiR3G5jR/2fpi0CaMLK4KnxnOm/MXWrNQ=; b=uKWzNLWZVRbnyvmV0jcKTDjtWyub6U62jOHt859PgHYvAQtMN6w+6+Xe5k9WfSWjVQ WAqTf5sK1hw0Zvo++Cbx5eI3TQP+3J4nPZCarpWT7XAePdGb2WqeYjnj/h8gU7OzChmp HVExV0x/7s0kxXrb5QzibeQ0Rn17tHN4dP5+90Q7kpn+KkTy2DFZ4zF68sFd0hGk5Ur8 9VYxY/rbYmrhBJjXC8mZ0B2MTLPbjz6hapq4OwLDpbLE2ICdrS6rOyvIzgApKdQARBQ4 iD8DJ3BDJKKt/+JN7b7AFOMv+yV1AtWBSKKOWxP2dnFqjLzC2Ap7x7KpgIH5IejP5jfS dvzQ== X-Gm-Message-State: ACgBeo0Oo0NGmMLHrqxEmWnofO03ZB12eGgvVZD3fcyHp9KHvGcaAYy0 G2RPBv4BEMR9TebMyK+kLowffKEHlK+WM/R8aJo= X-Received: by 2002:a05:6808:201c:b0:343:b55:ae85 with SMTP id q28-20020a056808201c00b003430b55ae85mr8737545oiw.185.1661843112755; Tue, 30 Aug 2022 00:05:12 -0700 (PDT) MIME-Version: 1.0 References: <20220822071902.3419042-1-tcs_kernel@tencent.com> <85f66a3a-95fa-5aaa-def0-998bf3f5139f@datenfreihafen.org> In-Reply-To: <85f66a3a-95fa-5aaa-def0-998bf3f5139f@datenfreihafen.org> From: zhang haiming Date: Tue, 30 Aug 2022 15:04:36 +0800 Message-ID: Subject: Re: [PATCH] net/ieee802154: fix uninit value bug in dgram_sendmsg To: Stefan Schmidt Cc: Alexander Aring , Alexander Aring , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-wpan - ML , Network Development , Linux Kernel Mailing List , Haimin Zhang Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks to all. I have sent patch v2 to fix this. On Mon, Aug 29, 2022 at 5:08 PM Stefan Schmidt wrote: > > > Hello Alex. > > On 23.08.22 14:22, Alexander Aring wrote: > > Hi, > > > > On Tue, Aug 23, 2022 at 5:42 AM Stefan Schmidt > > wrote: > >> > >> Hello. > >> > >> On 22.08.22 09:19, Haimin Zhang wrote: > >>> There is uninit value bug in dgram_sendmsg function in > >>> net/ieee802154/socket.c when the length of valid data pointed by the > >>> msg->msg_name isn't verified. > >>> > >>> This length is specified by msg->msg_namelen. Function > >>> ieee802154_addr_from_sa is called by dgram_sendmsg, which use > >>> msg->msg_name as struct sockaddr_ieee802154* and read it, that will > >>> eventually lead to uninit value read. So we should check the length of > >>> msg->msg_name is not less than sizeof(struct sockaddr_ieee802154) > >>> before entering the ieee802154_addr_from_sa. > >>> > >>> Signed-off-by: Haimin Zhang > >> > >> > >> This patch has been applied to the wpan tree and will be > >> part of the next pull request to net. Thanks! > > > > For me this patch is buggy or at least it is questionable how to deal > > with the size of ieee802154_addr_sa here. > > You are right. I completely missed this. Thanks for spotting! > > > There should be a helper to calculate the size which depends on the > > addr_type field. It is not required to send the last 6 bytes if > > addr_type is IEEE802154_ADDR_SHORT. > > Nitpick is that we should check in the beginning of that function. > > Haimin, in ieee802154 we could have two different sizes for > ieee802154_addr_sa depending on the addr_type. We have short and > extended addresses. > > Could you please rework this patch to take this into account as Alex > suggested? > > I reverted your original patch from my tree. > > regards > Stefan Schmidt