Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp2285407rdd; Fri, 12 Jan 2024 05:16:32 -0800 (PST) X-Google-Smtp-Source: AGHT+IGft/ERmz6SVpbSmBesjTaPPpepxRSdnAqbzv9YS7xKHxjRS2aVtMlUEaH/h5EZxTEt4Fy3 X-Received: by 2002:a17:902:e54b:b0:1d4:5b6b:f90 with SMTP id n11-20020a170902e54b00b001d45b6b0f90mr821983plf.131.1705065392261; Fri, 12 Jan 2024 05:16:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705065392; cv=none; d=google.com; s=arc-20160816; b=jDtgBAlKeLgYxE9ipUh+iur8M6zX10zdPCTYXjAeD9m+p2mrDbzyQveVRlITYWQ53K He19vE8HNbAlMFuc9EyGDIahCAeAeK7G699NqqC9NsOgXGI6M5mqh3Djs5Ic0mo+F7Uz 3wst0OYgg4G7EGykalEKkDN6xOS3NtMGN8XTj1E2EQ9IYU+fu7LnhtQcdPTzHpB2cF6I ShNTDAZgKysOFw46LFo8Z84fsB7lgEs40XGGBtlq0T7DLZTKUEr9scaDYz5sU7myjw69 3YpmG0L0P6w0uHfem4+L7VVgzmLH3gPLdlvOLWpNd4++p9i3SaewzyeoC3jjIq56sRwD 62eg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=AlsLWe+Hr8agarBlntW4lt9qN++3M1iq9T28RsoYYs8=; fh=tST4pc/Rn8RKL1YH1lgdDR3gKB/HtVS+IqCbK+JqVmU=; b=hOpkdLyR9/hpd/wWxp17l3ZIYFq100HgDqZaVyMwwTnKgoxhZ8KqXYFya0cwMnRaQh jph3pi3Einixlu2rwtImlbSL5tYAse+MWyM4z5shRF+iBC8cM2QgDgcke3AtKNl/nRwc p+9cozemOb5FGQ2QYTu/WQLCZ8Tj75CQquc0aw1374SJ1JVGdPjqipBcUq7kgWHaOO/K JsnefgUjUPulV1DivEj2u4NfAAvAV9zxcZ5rQusPzfLQHHfaAg/hTI9tZkQufpWxLasG lPkxcuzMZji4fQ5aztNj+n3LqMojqd1E0lLjV+4RiFVdxUh1mrUrPftE32VwYVns/iVE 1TMQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-24677-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-24677-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id ky4-20020a170902f98400b001d4cea99e4esi3141518plb.124.2024.01.12.05.16.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jan 2024 05:16:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-24677-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-24677-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-24677-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id CA1D2286FB2 for ; Fri, 12 Jan 2024 13:16:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 229046BB5F; Fri, 12 Jan 2024 13:16:20 +0000 (UTC) Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84A3A2AEEC; Fri, 12 Jan 2024 13:16:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fintech.ru Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru (195.54.195.159) with Microsoft SMTP Server (TLS) id 14.3.498.0; Fri, 12 Jan 2024 16:16:06 +0300 Received: from localhost (10.0.253.138) by Ex16-01.fintech.ru (10.0.10.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Fri, 12 Jan 2024 16:16:06 +0300 From: Nikita Zhandarovich To: Alexander Aring CC: Nikita Zhandarovich , Zhang Shurong , , , , , , , , , , Subject: Re: [PATCH RESEND] mac802154: Fix uninit-value access in ieee802154_hdr_push_sechdr Date: Fri, 12 Jan 2024 05:15:54 -0800 Message-ID: <20240112131554.10352-1-n.zhandarovich@fintech.ru> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru (10.0.10.18) >> > > >> > > BUG: KMSAN: uninit-value in ieee802154_hdr_push_sechdr net/ieee802154= > /header_ops.c:54 [inline] >> > > BUG: KMSAN: uninit-value in ieee802154_hdr_push+0x971/0xb90 net/ieee8= > 02154/header_ops.c:108 >> > > ieee802154_hdr_push_sechdr net/ieee802154/header_ops.c:54 [inline] >> > > ieee802154_hdr_push+0x971/0xb90 net/ieee802154/header_ops.c:108 >> > > ieee802154_header_create+0x9c0/0xc00 net/mac802154/iface.c:396 >> > > wpan_dev_hard_header include/net/cfg802154.h:494 [inline] >> > > dgram_sendmsg+0xd1d/0x1500 net/ieee802154/socket.c:677 >> > > ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 >> > > sock_sendmsg_nosec net/socket.c:725 [inline] >> > > sock_sendmsg net/socket.c:748 [inline] >> > > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2494 >> > > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2548 >> > > __sys_sendmsg+0x225/0x3c0 net/socket.c:2577 >> > > __compat_sys_sendmsg net/compat.c:346 [inline] >> > > __do_compat_sys_sendmsg net/compat.c:353 [inline] >> > > __se_compat_sys_sendmsg net/compat.c:350 [inline] >> > > >> > > We found hdr->key_id_mode is uninitialized in mac802154_set_header_se= > curity() >> > > which indicates hdr.fc.security_enabled should be 0. However, it is s= > et to be cb->secen before. >> > > Later, ieee802154_hdr_push_sechdr is invoked, causing KMSAN complains= > uninit-value issue. >> > >> > I am not too deeply involved in the security header but for me it feels >> > like your patch does the opposite of what's needed. We should maybe >> > initialize hdr->key_id_mode based on the value in cb->secen, no? (maybe >> > Alexander will have a better understanding than I have). >> >> I can't help yet with a better answer why syzkaller reports it but it >> will break things as we using skb->cb to pass additional parameters >> through header_ops->create()... in this case it is some sockopts of >> af802154, I guess. >> > > Maybe we just need to init some "more" defaults in [0] > > - Alex > > [0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree= > /net/ieee802154/socket.c?h=3Dv6.7-rc5#n474 Hello, I was looking into the same issue (now present in syzbot [1]) and since it has a C-repro, the error is easy to recreate. Apparently, despite cb->secen (and hdr.fc.security_enabled accordingly) being equal 1, mac802154_set_header_security() finishes with 0 in: if (!params.enabled || (cb->secen_override && !cb->secen) || !params.out_level) return 0; Not presuming to understand the issue fully but if we do end up leaving mac802154_set_header_security() early, should we init hdr->key_id_mode with IEEE802154_SCF_KEY_IMPLICIT before returning with 0? I imagine that reseting hdr.fc.security_enabled to 0 ourselves in this case is a wrong way to go too. [1] https://syzkaller.appspot.com/bug?extid=60a66d44892b66b56545 Hoping not to have spewed too much nonsense here... With regards, Nikita