[PATCH openEuler-1.0-LTS 0/4] Fix CVE-2024-35915 - Kernel - mailweb.openeuler.org

newer
[PATCH openEuler-1.0-LTS v2 0/2]...

[PATCH openEuler-1.0-LTS 0/4] Fix CVE-2024-35915

older
[PATCH openEuler-1.0-LTS 0/2] net:...

Zheng Zucheng

3 Jul 2024 3 Jul '24

9:33 p.m.

Ryosuke Yasuoka (3): nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet nfc: nci: Fix uninit-value in nci_rx_work nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() Tetsuo Handa (1): nfc: nci: Fix kcov check in nci_rx_work() net/nfc/nci/core.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) -- 2.34.1

Reply

Sign in to reply online Use email software

Show replies by date

Zheng Zucheng

3 Jul 3 Jul

9:33 p.m.

New subject: [PATCH openEuler-1.0-LTS 1/4] nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet

From: Ryosuke Yasuoka <ryasuoka@redhat.com> stable inclusion from stable-v6.6.26 commit a946ebee45b09294c8b0b0e77410b763c4d2817a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG8F CVE: CVE-2024-35915 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit d24b03535e5eb82e025219c2f632b485409c898f ] syzbot reported the following uninit-value access issue [1][2]: nci_rx_work() parses and processes received packet. When the payload length is zero, each message type handler reads uninitialized payload and KMSAN detects this issue. The receipt of a packet with a zero-size payload is considered unexpected, and therefore, such packets should be silently discarded. This patch resolved this issue by checking payload size before calling each message type handler codes. Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") Reported-and-tested-by: syzbot+7ea9413ea6749baf5574@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+29b5ca705d2e0f4a44d2@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7ea9413ea6749baf5574 [1] Closes: https://syzkaller.appspot.com/bug?extid=29b5ca705d2e0f4a44d2 [2] Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com> Reviewed-by: Jeremy Cline <jeremy@jcline.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: ZhangPeng <zhangpeng362@huawei.com> Signed-off-by: Zheng Zucheng <zhengzucheng@huawei.com> --- net/nfc/nci/core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index 7148bc0af030..f393aae80598 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -1507,6 +1507,11 @@ static void nci_rx_work(struct work_struct *work) nfc_send_to_raw_sock(ndev->nfc_dev, skb, RAW_PAYLOAD_NCI, NFC_DIRECTION_RX); + if (!nci_plen(skb->data)) { + kfree_skb(skb); + break; + } + /* Process frame */ switch (nci_mt(skb->data)) { case NCI_MT_RSP_PKT: -- 2.34.1

Reply

Sign in to reply online Use email software

Zheng Zucheng

9:33 p.m.

New subject: [PATCH openEuler-1.0-LTS 2/4] nfc: nci: Fix kcov check in nci_rx_work()

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> mainline inclusion from mainline-v6.9-rc1 commit 19e35f24750ddf860c51e51c68cf07ea181b4881 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG8F CVE: CVE-2024-35915 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Commit 7e8cdc97148c ("nfc: Add KCOV annotations") added kcov_remote_start_common()/kcov_remote_stop() pair into nci_rx_work(), with an assumption that kcov_remote_stop() is called upon continue of the for loop. But commit d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") forgot to call kcov_remote_stop() before break of the for loop. Reported-by: syzbot <syzbot+0438378d6f157baae1a2@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=0438378d6f157baae1a2 Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") Suggested-by: Andrey Konovalov <andreyknvl@gmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/6d10f829-5a0c-405a-b39a-d7266f3a1a0b@I-love.SAKURA... Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Zheng Zucheng <zhengzucheng@huawei.com> --- net/nfc/nci/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index f393aae80598..6216eab4868f 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -1509,6 +1509,7 @@ static void nci_rx_work(struct work_struct *work) if (!nci_plen(skb->data)) { kfree_skb(skb); + kcov_remote_stop(); break; } -- 2.34.1

Reply

Sign in to reply online Use email software

Zheng Zucheng

9:33 p.m.

New subject: [PATCH openEuler-1.0-LTS 3/4] nfc: nci: Fix uninit-value in nci_rx_work

From: Ryosuke Yasuoka <ryasuoka@redhat.com> mainline inclusion from mainline-v6.10-rc1 commit e4a87abf588536d1cdfb128595e6e680af5cf3ed category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG8F CVE: CVE-2024-35915 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- syzbot reported the following uninit-value access issue [1] nci_rx_work() parses received packet from ndev->rx_q. It should be validated header size, payload size and total packet size before processing the packet. If an invalid packet is detected, it should be silently discarded. Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") Reported-and-tested-by: syzbot+d7b4dc6cd50410152534@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d7b4dc6cd50410152534 [1] Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/nfc/nci/core.c [Some contexts around nci_valid_size different. No functional impact.] Signed-off-by: Zheng Zucheng <zhengzucheng@huawei.com> --- net/nfc/nci/core.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index 6216eab4868f..165fcddb51e3 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -1457,6 +1457,20 @@ int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode, ndev->ops->n_core_ops); } +static bool nci_valid_size(struct sk_buff *skb) +{ + unsigned int hdr_size = NCI_CTRL_HDR_SIZE; + + BUILD_BUG_ON(NCI_CTRL_HDR_SIZE != NCI_DATA_HDR_SIZE); + + if (skb->len < hdr_size || + !nci_plen(skb->data) || + skb->len < hdr_size + nci_plen(skb->data)) { + return false; + } + return true; +} + /* ---- NCI TX Data worker thread ---- */ static void nci_tx_work(struct work_struct *work) @@ -1507,7 +1521,7 @@ static void nci_rx_work(struct work_struct *work) nfc_send_to_raw_sock(ndev->nfc_dev, skb, RAW_PAYLOAD_NCI, NFC_DIRECTION_RX); - if (!nci_plen(skb->data)) { + if (!nci_valid_size(skb)) { kfree_skb(skb); kcov_remote_stop(); break; -- 2.34.1

Reply

Sign in to reply online Use email software

Zheng Zucheng

9:33 p.m.

New subject: [PATCH openEuler-1.0-LTS 4/4] nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()

From: Ryosuke Yasuoka <ryasuoka@redhat.com> mainline inclusion from mainline-v6.9-rc1 commit 6671e352497ca4bb07a96c48e03907065ff77d8a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG8F CVE: CVE-2024-35915 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- When nci_rx_work() receives a zero-length payload packet, it should not discard the packet and exit the loop. Instead, it should continue processing subsequent packets. Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com> Reviewed-by: Simon Horman <horms@kernel.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/20240521153444.535399-1-ryasuoka@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Zheng Zucheng <zhengzucheng@huawei.com> --- net/nfc/nci/core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index 165fcddb51e3..e6f1530f64f9 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -1523,8 +1523,7 @@ static void nci_rx_work(struct work_struct *work) if (!nci_valid_size(skb)) { kfree_skb(skb); - kcov_remote_stop(); - break; + continue; } /* Process frame */ -- 2.34.1

Reply

Sign in to reply online Use email software

patchwork bot

9:40 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/9724 邮件列表地址：https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/9724 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6...

Reply

Sign in to reply online Use email software

238

Age (days ago)

238

Last active (days ago)

5 comments

2 participants

tags

participants (2)

patchwork bot
Zheng Zucheng