Received: by 2002:ab2:3350:0:b0:1f4:6588:b3a7 with SMTP id o16csp1920578lqe;
        Tue, 9 Apr 2024 04:50:38 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWJEi45OXjQAjG+E6kkRIXYPiC44pcPwB0RdyD/uuHdrDKK+dtjKKXRhVNuvd3G4bf7ScbWzdpyG11NrGGRemiPDNLcsHz1s55NG+sRyQ==
X-Google-Smtp-Source: AGHT+IHCc7dn/CzatINz1zJhVEJelpqLUKVbJW21xBN5ERVrJjDZ55qxxBDFXAC421weFgYNmT9d
X-Received: by 2002:a05:6358:79f:b0:186:291f:e902 with SMTP id n31-20020a056358079f00b00186291fe902mr6064835rwj.26.1712663438164;
        Tue, 09 Apr 2024 04:50:38 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712663438; cv=pass;
        d=google.com; s=arc-20160816;
        b=vKck7TAM+6DdaAa6RrkPxKhhqWc76l/CWP0st8vTPyyzmWIO5lUw21OVpUrDrGP3a1
         1gBSn32N+ZUX/YjMW065x9BeTxAA2VtpdM9/Yys7C989FRjFi3GfpxPk/hrFCzjyoPfq
         93IKkx7l6es2mb18Nt8SRZ8rCq5z3ZjZrJwcLEcyMooiCqFKNOErkJuG1urZZPcOsV0s
         Us/DpLbxsQP5+XQWZQMYD8yBiJBSSfe4Z5t+nDxmUk+z6pyqwgip2vPdPfpkCJk6jUXg
         7sKoGZ9gTLYfH8EzmWJde/2kYdlPblpdOwOSaGq7l+Qit84XzkyLSTlqCrAVvXKPXBoO
         WZyw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:date
         :subject:cc:to:from:message-id:dkim-signature;
        bh=ek038P3LxIw6ciT6YTkaoOBDNFyc6zhMZtJXRjLxO2U=;
        fh=+kvC6ix1Bh7FmqCE83mL4gMQZmouoU7DDynT6Bnx1wo=;
        b=lPVNwZhiAgPKIrU3BMEbZehoncGpCzH6oPr1gjdBtqbDZqmLCVnZt7otyQDtpkR0c5
         uP13vAEdYnApISBnPfvsNTKs03DWDEVOtnNQBGyo8FX0VUJe1fEcktqHm9t3gfqla7Vt
         U3qs0QxW0F8oNTm0uJn+EoAWA856RSrLky6dExhuuDzy48OdtdGVjW1fghhM1TEbzPoZ
         4EbHW01NoD4hzUm6BxfpEE6AVv/p37JzsbKefbYu3RyZD6WUAldVX2dxqmci0mWM1j61
         zSos5t43qreqx/j/5nzbBWQ6pUiPJlwwxG1spv4PRh8th1oZatTYzCIkNo03b7pcDOwD
         T4FQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=OxE5DP9J;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-136804-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-136804-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Return-Path: <linux-kernel+bounces-136804-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id kq15-20020a056a004b0f00b006ed1790830bsi6191844pfb.68.2024.04.09.04.50.37
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Apr 2024 04:50:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-136804-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=OxE5DP9J;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-136804-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-136804-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 35D9A2816E0
	for <linux.lists.archive@gmail.com>; Tue,  9 Apr 2024 11:44:15 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1B9B6128806;
	Tue,  9 Apr 2024 11:44:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="OxE5DP9J"
Received: from out203-205-221-153.mail.qq.com (out203-205-221-153.mail.qq.com [203.205.221.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DEF5586242;
	Tue,  9 Apr 2024 11:44:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=203.205.221.153
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712663048; cv=none; b=iMQP3+2UK4bW0cW3ZVLSxUSjRal/sFKAzPvl2QI1s5cl8ag47akbl0VzzNH5X+CyXLRZYvzw9UfB5I779NRDmlgV6we4WIlpJE7DloctxBj34Sq+27f4bS2BNRZaPN+qVz/uDPCcQgVI4kCkPSCnbUIbBd1MmsyezAai0pwWLYc=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712663048; c=relaxed/simple;
	bh=1dQG2CvAIYQGD4YX1qhjNYbP21CNDqzNX0gQDzEE75w=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version; b=g6p0NbR4ilF4WoOlOUhUJDBTYH2DJcukpDCMuulg7pvlDiUijT5sWGbTZIK07oqJwoO/mTe/HyDgSZIy2ydDcuSajjDShPXst3PAjfcankYH+ZNy4PrT6k20GqR9SOyrTiThYVmLZgCkHRwDltPqTAuLa46Gj5YuGAeUuieVTd8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=OxE5DP9J; arc=none smtp.client-ip=203.205.221.153
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1712663043; bh=ek038P3LxIw6ciT6YTkaoOBDNFyc6zhMZtJXRjLxO2U=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=OxE5DP9J5wJ4vPeRBpEtobdQDNHXMmx6jF/g7f4Mz1snQoYVLMGiL9YmOB808Qfgu
	 QJrHLRVKhDo2GU2WmqXay2HztKEGf/ydGkXVWQRNyMhACbHzqnhz8ISseyAZSSznx8
	 y8j4Ydwyqy3ao+fuiwgcb4+cKM4LYYLTp+LSYKTg=
Received: from pek-lxu-l1.wrs.com ([111.198.228.153])
	by newxmesmtplogicsvrsza1-0.qq.com (NewEsmtp) with SMTP
	id 96A80033; Tue, 09 Apr 2024 19:37:42 +0800
X-QQ-mid: xmsmtpt1712662662tw6erwfdr
Message-ID: <tencent_AABA5D95191FCFD28DB325F58D8212525D07@qq.com>
X-QQ-XMAILINFO: OLnGMPzD2sDVVgYBMuObIt7JY7d+1JJldgIEcNGDmR75Mny7SS/dHiEza6dSIl
	 G/Mq+ty3e57hyKBAmSoLMVu0nn/iwyNqwiNgwShDz/Wzp1qwnxR8IAKzJkgyUtXEgHTcRLJDoh44
	 dPQyOcex70aCjGv32PeQ8hpphjivh860XqgXXkE+8RySOSeS/j6Js1Q41fYgITH/frAnGOXRvz0s
	 ME4ZKTpQnrNTaxllfs5+Ch0GIg+8ivwTQ9XC3ZrBJGHpgd6uP0CZ0L4fjSD6lupgu3zgc//43ysD
	 6jJMb0i0ZqpgpRNLsGe1CYqJUihji8XNokAqdAkchbUJAOKrdOC8tiP/B0BIGwAbz9VUyLLMGbMS
	 HNT3GfUESr/93xMNphzEbYS90JvTdsj3ipwDm0ELC6BQqKkQpJghx5JLlSWHHGxSxEkTGNyBsSMT
	 yipAnTQMkIG2iw4RJRRKi5MX7mZAKq6PE0lz3jHzPvCruqXQbsK27+eOOvSMB4OVukXPXGfavviZ
	 nWtlCPx9MHwbDTq+eBs0fbVWFosb/45+UB7xGFyLLPOyzy+p9OBvwe9w5qs7NXvxPLjf72ff4K01
	 coIk7nuvZf3Pds8qmOzbz3CXo5GgOaweKUprYm9/yzMPAq9PFZJZ+58gQeS/6R0rMtLLUqUJorro
	 h8eOmfHJ0mVER/eE95YejLzVsH5eT2IVUn9QtiRUveS8WNet2AVSaLiqG+WGnfe95x4k4/xE0hHk
	 dF/Yp4BfrVUg5P28n4+jMy9vJu+hxDHfof9xUbKh9AJy1LwbQ03oNt0Mz5Q4UG2VYSRgNbHIHxTX
	 f2EVUBZyu1dL8vDZCnbMdW0earas4LzlyywTrbk1CkH+vNv3vYA+8akcZ61iY98Do7UJ2vw7Wadz
	 mJ8YUQt3h727jYFBUReIMcoAMAYBtQcLm2NleOZE0HCYpcxy7bz1OOX4I4BblYhGVBLoSqxOurvf
	 GErxvfbvUFFwDaVOSmeXmoFmZ1wZpBRzpjGuJ0fbh0U+/Xx00Iow==
X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+9b8be5e35747291236c8@syzkaller.appspotmail.com
Cc: andrii@kernel.org,
	ast@kernel.org,
	bpf@vger.kernel.org,
	daniel@iogearbox.net,
	haoluo@google.com,
	john.fastabend@gmail.com,
	jolsa@kernel.org,
	kpsingh@kernel.org,
	linux-kernel@vger.kernel.org,
	martin.lau@linux.dev,
	sdf@google.com,
	song@kernel.org,
	syzkaller-bugs@googlegroups.com,
	yonghong.song@linux.dev
Subject: [PATCH] bpf: fix uninit-value in strnchr
Date: Tue,  9 Apr 2024 19:37:43 +0800
X-OQ-MSGID: <20240409113742.4055421-2-eadavis@qq.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <0000000000009e2ff406130de279@google.com>
References: <0000000000009e2ff406130de279@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

According to the context in bpf_bprintf_prepare(), this is checking if fmt ends
with a NUL word. Therefore, strnchrnul() should be used for validation instead
of strnchr().

Reported-by: syzbot+9b8be5e35747291236c8@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 kernel/bpf/helpers.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 449b9a5d3fe3..07490eba24fe 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -826,7 +826,7 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args,
 	u64 cur_arg;
 	char fmt_ptype, cur_ip[16], ip_spec[] = "%pXX";
 
-	fmt_end = strnchr(fmt, fmt_size, 0);
+	fmt_end = strnchrnul(fmt, fmt_size, 0);
 	if (!fmt_end)
 		return -EINVAL;
 	fmt_size = fmt_end - fmt;
-- 
2.43.0