Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp1679544rdb; Sat, 2 Dec 2023 05:32:56 -0800 (PST) X-Google-Smtp-Source: AGHT+IF9JSyw1aR2HMytLUrvkrYmIE2MmMZV3vVpwXRcXWDS4Qn16ErLr1Dxaqd4MtUGnDX6acIf X-Received: by 2002:a05:6a21:99a5:b0:18a:d5a8:93e3 with SMTP id ve37-20020a056a2199a500b0018ad5a893e3mr361537pzb.61.1701523976375; Sat, 02 Dec 2023 05:32:56 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1701523976; cv=pass; d=google.com; s=arc-20160816; b=aits4QVOTPP7SlFbf9HrZadab0pw++NYc4YqwuC9yFPxkSQ4B/kW4n4ZAE0mfMjp1V RKUf3lih/s0nHWAyMZSS0Coccdz6dNRAOqdoRG/gxc79+yk+g60S6k/BySqnNyKrLLrs aLAvItZnjD/vCD0ZMB6hNsrPADSYa+NsAuXLXf1280Twzy/0hI6/wj2ML5n1qAFY1Mag KdSskL0lLX7sSfq8jZczHuMOPu+eFk98Xc5PgLXWD+zGchiNvD5NuQyGYgp7RstXJDZl d2B6GdqpARzlTz4CCC+opQgLioNDetYCR1IvibcfLR/qAJeVpVcrkLOVJy0GopUk/Ffl 5WGw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:importance:content-transfer-encoding :mime-version:subject:references:in-reply-to:message-id:cc:to:from :date:dkim-signature; bh=8/lJzpQ0l1BXHMNEoi4VijDBQ6ZH4sNvHefkNZ5BWIg=; fh=FJySOlaTeSt67b/omo9AjjPX03PtGDCr85Lh9h6+XNU=; b=F9wfKIUe2Gy92hNP1NBwVaD3JiG3SK5EWT2qyMr3HeMyyHSXeewUaEsCXjoT9tt/Aq B6a+0edqYbicPeb4F9RA15U8CR5I7P9SE1fQcGRJBSMvAwxXYsfgdPtAT9oFjo08L/MH eGSJ47ng5cfukcb1NII6LiH5eaR0pp4oPOfdAWnNbT01lE8lufPf4kLiXIENGHDoKYAD t4c7LR/tvfACkz2oG0t0Mil5IZ0D9u+6sd0CUKWvvFOHVC2ugRSnqD1YHXp4MYc7HhaW f2MdxsK7Dr5s4aBeqy5AxBOgJEVuwhCQ5ZsmWiQsRLktV5qmaCdhnM9bBH84fu0FaJZA ZFIA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@siddh.me header.s=zmail header.b=nn5VIFBf; arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me dmarc=pass fromdomain=siddh.me>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siddh.me Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id a15-20020a056a000c8f00b006b261e83225si4857690pfv.310.2023.12.02.05.32.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 Dec 2023 05:32:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@siddh.me header.s=zmail header.b=nn5VIFBf; arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me dmarc=pass fromdomain=siddh.me>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siddh.me Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id E483D8034667; Sat, 2 Dec 2023 05:32:53 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232888AbjLBNcF (ORCPT + 99 others); Sat, 2 Dec 2023 08:32:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44520 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229451AbjLBNcE (ORCPT ); Sat, 2 Dec 2023 08:32:04 -0500 Received: from sender-of-o51.zoho.in (sender-of-o51.zoho.in [103.117.158.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1181107; Sat, 2 Dec 2023 05:32:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701523896; cv=none; d=zohomail.in; s=zohoarc; b=GCwTnRFk6e80ShO3FX6v7rdJQSMX0/X1ovgySTMGf+n+RcIoiWf/xObfJcHxnq8gKodT31SK4Q/lMd9etxZXLBSwa+PMq8iEpXzw1lOjDT/YcTsWQF1oU/TKqAK/ZYPpL5HE1+SWyIfiICar7sh2ikKp0IyLwRz34of83WrrwtI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.in; s=zohoarc; t=1701523896; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=8/lJzpQ0l1BXHMNEoi4VijDBQ6ZH4sNvHefkNZ5BWIg=; b=J/jZRMh9jwQWchU5mwN1r6kze5pzBmXb0lnERl8FI1Ks+nKKDEvGVlayonl0GyUw1EDoKz0vc/F5S3MCShIcD+iN694l0q3AOWbjjeGz49nu45BRh27UbQ7u9A2MBATQbhoFQ1lKfnNOkpvUGr/T37uIOk+c4jFcldwjrW9QftQ= ARC-Authentication-Results: i=1; mx.zohomail.in; dkim=pass header.i=siddh.me; spf=pass smtp.mailfrom=code@siddh.me; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1701523896; s=zmail; d=siddh.me; i=code@siddh.me; h=Date:Date:From:From:To:To:Cc:Cc:Message-ID:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To; bh=8/lJzpQ0l1BXHMNEoi4VijDBQ6ZH4sNvHefkNZ5BWIg=; b=nn5VIFBf8sEFJbAUnNZKhWK8SW/lMvGaBuDXlZXoGxJy70UGKOWl4OVuaWxRSYfk C+p8z0l9ReNbOcv7f7uMRR7auhhG+vn1x+2U5UwWAFFaxeI9hz/GzYd5NtMMNJrYntW lyzCgi7hdQgI/4wShA2fUJgjIJhiyd6CLWA57y60= Received: from mail.zoho.in by mx.zoho.in with SMTP id 1701523864503746.4314823257985; Sat, 2 Dec 2023 19:01:04 +0530 (IST) Date: Sat, 02 Dec 2023 19:01:04 +0530 From: Siddh Raman Pant To: "Krzysztof Kozlowski" Cc: "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "netdev" , "linux-kernel" Message-ID: <18c2ab9bba5.26abdb8f38744.5002982123699219766@siddh.me> In-Reply-To: References: Subject: Re: [PATCH 1/4] nfc: Extract nfc_dev access from nfc_alloc_send_skb() into the callers MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Importance: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Sat, 02 Dec 2023 05:32:54 -0800 (PST) On Mon, 27 Nov 2023 15:40:51 +0530, Krzysztof Kozlowski wrote: > On 25/11/2023 21:26, Siddh Raman Pant wrote: > > The only reason why nfc_dev was accessed inside nfc_alloc_send_skb() is > > for getting the headroom and tailroom values. > > > > This can cause UAF to be reported from nfc_alloc_send_skb(), but the > > callers are responsible for managing the device access, and thus the > > UAF being reported, as the callers (like nfc_llcp_send_ui_frame()) may > > repeatedly call this function, and this function will repeatedly try > > to get the same headroom and tailroom values. > > I don't understand this sentence. > > "This can cause ..., but ...". But starts another clause which should be > in contradictory to previous one. Sorry about that, I should have phrased it better. > > Thus, put the nfc_dev access responsibility on the callers and accept > > the headroom and tailroom values directly. > > Is this a fix or improvement? If fix, is the UAF real? If so, you miss > Fixes tag. I intended to remove access to nfc_dev (accessing which causes UAF) inside this function, as it is used only for fetching headroom and tailroom integral values. nfc_llcp_send_ui_frame() called this function in a do-while loop, so I thought of extracting the values before the loop, so that in the next patch where I used locking, I would have to lock only once*. Since these are two units of changes, I separated them into two patches. Though since the next patch is shit anyways, this patch is not needed. Thanks, Siddh