Received: by 2002:a05:7412:8d11:b0:fa:4934:9f with SMTP id bj17csp315609rdb;
        Sun, 14 Jan 2024 19:32:39 -0800 (PST)
X-Google-Smtp-Source: AGHT+IG3Q7gJfjZFpnez2uVh6RV/8vSWIk4uZdEDu/n1m9knJk1s9bAywlazY1iTfX/8FOAfA6Y6
X-Received: by 2002:a2e:8090:0:b0:2cc:7718:edff with SMTP id i16-20020a2e8090000000b002cc7718edffmr2038081ljg.70.1705289559683;
        Sun, 14 Jan 2024 19:32:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1705289559; cv=none;
        d=google.com; s=arc-20160816;
        b=UCW9XlfAQFWMBaZfTIVP//+PAc30ibk3aY3SBuG6iulk4JOBQRWQUycQWN8hm9SFai
         RC3if8jfT01elf/mBEJlghahlI5uqTLMtIUTDBj6w06SBr6kKXuwVM67p8LKzfBUQNg+
         TTq9oOrMeRwQOKl2Qv1gvi3W63sWKMlBs13s79vNN4RzhVmfHxa7hJKQTg87mkJ9rtgv
         XRPS4UaD7IEkELlR2wWzxhqpHyeHQclwiY/6+Cvb8yKOCjFfJW97Cmt9qxv/2BAupCpe
         EPquC2UHvhgtfQo00la7BIImU2aNry1ll5slOsPPyKiITy/8bunCe/VRBYekhHlyLVAP
         IDpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=ALGKSPiwx3An9TAdIFkfIrrz7nokmTgvsAQvBw77JOo=;
        fh=XMrMEkewe0PJ3OKMaNvb+dV78rqHb/ldtk3dYWdM4us=;
        b=zrYWvFv1dgKP8gpkPjlStJ+X865k46DYC7TrdqlpQL5+BuX3M2lMxz/7rkRN21GUWk
         9PoPCZDVNU8W8U0tWJSCgiPiPRdAQ8TONJVKHoxQOLTFXR/idX73I8Ulqkt84WC7mnq1
         pNpBBdSm9VGy7dbI9vxqoNFNIPka1GyVuF4XJCZKXWMkvbOb6hLjOXPAZ/4Fa9BrsFyn
         jgjLGxbEsZjKAyEZxS+xbxHJMyf96aYrRbTyimezGKplPWeVHBn6A2KRicEirQsW688L
         /OJUUBAbCpVpo+kYQchVqf9x0zCjYGC+NwP2uPm+7cdF9r0V6ESqjoUaZtIqyPkG0+4P
         3dzg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Ld9N7Rqo;
       spf=pass (google.com: domain of linux-kernel+bounces-25606-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25606-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel+bounces-25606-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id j16-20020a05640211d000b00558609cde02si3603565edw.232.2024.01.14.19.32.39
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 14 Jan 2024 19:32:39 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-25606-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Ld9N7Rqo;
       spf=pass (google.com: domain of linux-kernel+bounces-25606-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25606-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 408551F212A9
	for <linux.lists.archive@gmail.com>; Mon, 15 Jan 2024 03:32:39 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id B2E223C23;
	Mon, 15 Jan 2024 03:32:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Ld9N7Rqo"
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20C4129A5
	for <linux-kernel@vger.kernel.org>; Mon, 15 Jan 2024 03:32:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1705289548;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ALGKSPiwx3An9TAdIFkfIrrz7nokmTgvsAQvBw77JOo=;
	b=Ld9N7RqoibGtpaI3ZOxdZkvZUJm8H2+xZ6GZIXLOXlHCJTbdnQIeHXry/MAa8D7ZroqkUj
	RIENqve7LwCAvBqVo8sEU4A5P8S6EzEDrnzY3mgOqaWkty70aHF7n0wQP1otY3S9T9ml2M
	cC4RTyDE6v7nr1On82w3RLU5S21JkVc=
Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com
 [209.85.208.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-85-GAsldp_UNA-UbQS65Zc0KA-1; Sun, 14 Jan 2024 22:32:26 -0500
X-MC-Unique: GAsldp_UNA-UbQS65Zc0KA-1
Received: by mail-ed1-f69.google.com with SMTP id 4fb4d7f45d1cf-559391de41bso349389a12.3
        for <linux-kernel@vger.kernel.org>; Sun, 14 Jan 2024 19:32:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705289545; x=1705894345;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ALGKSPiwx3An9TAdIFkfIrrz7nokmTgvsAQvBw77JOo=;
        b=tGQzqPWIop+n3WPSQtPX/glWUvfnqYOL8C7b04zoJUc3+/Jk16XfdhzQrpSkqInn0A
         MAlFNlBTbCkRnLnFNoOld6dMbLRoJOWwLKdta0vyaak3adUJuuKtapTrKJSVh4WFQs3l
         5n5s2cQu/yC9+uBfmStKsAaJc9knuzw5Q/kbBuc3Z7YOblfhMPhaecKHcWIlY5+dOeoL
         m/Tbfvqq7ys+8PoIjdGGn1hmjy9cTTk04xkC33MNR5hM+Z+2abCqk4Oj8+f4m/2MWtr4
         NKG9Hc61JZ3f1rmoaBmyWtyzUvgJpOMk+PMnJ1J+n+OdtGi0cpssmzEMbBo/oM7wX+Tz
         tMOw==
X-Gm-Message-State: AOJu0Yw111hclHtkMA+rhph1JymrrhVhi6xYrRjaHBBnj6zz0Wm0wAVg
	QnF1u7JB9DwWVkDY8anzA/28GUaEgtZrVQjjh6+mvKi8X9YRGdwnQE3zJsuW/1w6R9ZCjbFDsFi
	6lVNvq8iUSvhlAiuwDP5nZ9QIZLFuXHLpRstMTc9n+wGdxat9
X-Received: by 2002:a05:6402:7d6:b0:54c:53a6:c49 with SMTP id u22-20020a05640207d600b0054c53a60c49mr2264880edy.16.1705289545530;
        Sun, 14 Jan 2024 19:32:25 -0800 (PST)
X-Received: by 2002:a05:6402:7d6:b0:54c:53a6:c49 with SMTP id
 u22-20020a05640207d600b0054c53a60c49mr2264870edy.16.1705289545205; Sun, 14
 Jan 2024 19:32:25 -0800 (PST)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <CAK-6q+jsZ13Cs9iuk_WjFeYFCEnnj-dJ9QYkWaw4fh6Gi=JtHA@mail.gmail.com>
 <20240112131554.10352-1-n.zhandarovich@fintech.ru>
In-Reply-To: <20240112131554.10352-1-n.zhandarovich@fintech.ru>
From: Alexander Aring <aahringo@redhat.com>
Date: Sun, 14 Jan 2024 22:32:13 -0500
Message-ID: <CAK-6q+gcs2djQfKRsuGpD7WERmbLhzjkHEm80MRe+2UE3bteKw@mail.gmail.com>
Subject: Re: [PATCH RESEND] mac802154: Fix uninit-value access in ieee802154_hdr_push_sechdr
To: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Cc: Zhang Shurong <zhang_shurong@foxmail.com>, alex.aring@gmail.com, 
	stefan@datenfreihafen.org, davem@davemloft.net, edumazet@google.com, 
	kuba@kernel.org, pabeni@redhat.com, linux-wpan@vger.kernel.org, 
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org, 
	harperchen1110@gmail.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On Fri, Jan 12, 2024 at 8:16=E2=80=AFAM Nikita Zhandarovich
<n.zhandarovich@fintech.ru> wrote:
>
> >> > >
> >> > > BUG: KMSAN: uninit-value in ieee802154_hdr_push_sechdr net/ieee802=
154=3D
> > /header_ops.c:54 [inline]
> >> > > BUG: KMSAN: uninit-value in ieee802154_hdr_push+0x971/0xb90 net/ie=
ee8=3D
> > 02154/header_ops.c:108
> >> > >  ieee802154_hdr_push_sechdr net/ieee802154/header_ops.c:54 [inline=
]
> >> > >  ieee802154_hdr_push+0x971/0xb90 net/ieee802154/header_ops.c:108
> >> > >  ieee802154_header_create+0x9c0/0xc00 net/mac802154/iface.c:396
> >> > >  wpan_dev_hard_header include/net/cfg802154.h:494 [inline]
> >> > >  dgram_sendmsg+0xd1d/0x1500 net/ieee802154/socket.c:677
> >> > >  ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
> >> > >  sock_sendmsg_nosec net/socket.c:725 [inline]
> >> > >  sock_sendmsg net/socket.c:748 [inline]
> >> > >  ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2494
> >> > >  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2548
> >> > >  __sys_sendmsg+0x225/0x3c0 net/socket.c:2577
> >> > >  __compat_sys_sendmsg net/compat.c:346 [inline]
> >> > >  __do_compat_sys_sendmsg net/compat.c:353 [inline]
> >> > >  __se_compat_sys_sendmsg net/compat.c:350 [inline]
> >> > >
> >> > > We found hdr->key_id_mode is uninitialized in mac802154_set_header=
_se=3D
> > curity()
> >> > > which indicates hdr.fc.security_enabled should be 0. However, it i=
s s=3D
> > et to be cb->secen before.
> >> > > Later, ieee802154_hdr_push_sechdr is invoked, causing KMSAN compla=
ins=3D
> >  uninit-value issue.
> >> >
> >> > I am not too deeply involved in the security header but for me it fe=
els
> >> > like your patch does the opposite of what's needed. We should maybe
> >> > initialize hdr->key_id_mode based on the value in cb->secen, no? (ma=
ybe
> >> > Alexander will have a better understanding than I have).
> >>
> >> I can't help yet with a better answer why syzkaller reports it but it
> >> will break things as we using skb->cb to pass additional parameters
> >> through header_ops->create()... in this case it is some sockopts of
> >> af802154, I guess.
> >>
> >
> > Maybe we just need to init some "more" defaults in [0]
> >
> > - Alex
> >
> > [0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/=
tree=3D
> > /net/ieee802154/socket.c?h=3D3Dv6.7-rc5#n474
>
> Hello,
>
> I was looking into the same issue (now present in syzbot [1]) and since i=
t has a
> C-repro, the error is easy to recreate. Apparently, despite cb->secen (an=
d
> hdr.fc.security_enabled accordingly) being equal 1, mac802154_set_header_=
security()
> finishes with 0 in:
>
>         if (!params.enabled ||
>             (cb->secen_override && !cb->secen) ||
>             !params.out_level)
>             return 0;
>
> Not presuming to understand the issue fully but if we do end up leaving
> mac802154_set_header_security() early, should we init hdr->key_id_mode
> with IEEE802154_SCF_KEY_IMPLICIT before returning with 0?
> I imagine that reseting hdr.fc.security_enabled to 0 ourselves in this
> case is a wrong way to go too.
>

I think here are two problems:

1.
When (in any way) secen path is hit then we should make sure some
other security parameters are set, if not return with an error. This
needs to be done somewhere in the 802.15.4 socket code. [0]

2.
The "secen path" itself in the socket code need to have defaults to be
disabled. [1]

> [1] https://syzkaller.appspot.com/bug?extid=3D60a66d44892b66b56545
>

Well we can test now but I think this is a check for the 1. case only.

> Hoping not to have spewed too much nonsense here...
>

I hope my words make sense here, too. :-)

- Alex

[0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree=
/net/ieee802154/socket.c#n669
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree=
/net/ieee802154/socket.c#n474