[syzbot] WARNING in nci_add_new_protocol
13 views
Skip to first unread message
syzbot
Nov 27, 2022, 5:26:31 PM11/27/22
to da...@davemloft.net, edum...@google.com, krzysztof...@linaro.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4312098baf37 Merge tag 'spi-fix-v6.1-rc6' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e25bb5880000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1129081024ee340
dashboard link: https://syzkaller.appspot.com/bug?extid=210e196cef4711b65139
compiler: arm-linux-gnueabi-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+210e19...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7843 at net/nfc/nci/ntf.c:260 nci_add_new_protocol+0x268/0x30c net/nfc/nci/ntf.c:260
memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)
Modules linked in:
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 7843 Comm: kworker/u4:3 Not tainted 6.1.0-rc6-syzkaller #0
Hardware name: ARM-Versatile Express
Workqueue: nfc2_nci_rx_wq nci_rx_work
Backtrace:
[<81751624>] (dump_backtrace) from [<81751718>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:253)
r7:81cf8970 r6:822228ec r5:60000193 r4:81d06d58
[<81751700>] (show_stack) from [<8176d3e0>] (__dump_stack lib/dump_stack.c:88 [inline])
[<81751700>] (show_stack) from [<8176d3e0>] (dump_stack_lvl+0x48/0x54 lib/dump_stack.c:106)
[<8176d398>] (dump_stack_lvl) from [<8176d404>] (dump_stack+0x18/0x1c lib/dump_stack.c:113)
r5:00000000 r4:82445d14
[<8176d3ec>] (dump_stack) from [<817522c0>] (panic+0x11c/0x360 kernel/panic.c:274)
[<817521a4>] (panic) from [<80241604>] (__warn+0x98/0x1a4 kernel/panic.c:621)
r3:00000001 r2:00000000 r1:00000000 r0:81cf8970
r7:816e192c
[<8024156c>] (__warn) from [<817525a0>] (warn_slowpath_fmt+0x9c/0xd4 kernel/panic.c:651)
r8:00000009 r7:816e192c r6:00000104 r5:81ec7084 r4:81d20104
[<81752508>] (warn_slowpath_fmt) from [<816e192c>] (nci_add_new_protocol+0x268/0x30c net/nfc/nci/ntf.c:260)
r8:84f0b129 r7:dfb25e4c r6:00000002 r5:00000081 r4:84f0b0fc
[<816e16c4>] (nci_add_new_protocol) from [<816e2738>] (nci_add_new_target net/nfc/nci/ntf.c:306 [inline])
[<816e16c4>] (nci_add_new_protocol) from [<816e2738>] (nci_rf_discover_ntf_packet net/nfc/nci/ntf.c:378 [inline])
[<816e16c4>] (nci_add_new_protocol) from [<816e2738>] (nci_ntf_packet+0xaf8/0xe18 net/nfc/nci/ntf.c:792)
r8:00000001 r7:00000000 r6:84f0b000 r5:85202c00 r4:00000103
[<816e1c40>] (nci_ntf_packet) from [<816df268>] (nci_rx_work+0x70/0xe8 net/nfc/nci/core.c:1513)
r10:84851205 r9:81a4b84c r8:81ec67b8 r7:84f0b0a4 r6:84f0b070 r5:84f0b000
r4:85202c00
[<816df1f8>] (nci_rx_work) from [<802611c0>] (process_one_work+0x20c/0x5ac kernel/workqueue.c:2289)
r9:828e5c00 r8:00000100 r7:84851200 r6:8280e800 r5:85867500 r4:84f0b070
[<80260fb4>] (process_one_work) from [<802615cc>] (worker_thread+0x6c/0x4e0 kernel/workqueue.c:2436)
r10:8280e800 r9:00000088 r8:82204d40 r7:8280e81c r6:85867518 r5:8280e800
r4:85867500
[<80261560>] (worker_thread) from [<80269b24>] (kthread+0xec/0x11c kernel/kthread.c:376)
r10:00000000 r9:ed855e8c r8:852e8700 r7:85867500 r6:80261560 r5:828e5c00
r4:84991a40
[<80269a38>] (kthread) from [<80200100>] (ret_from_fork+0x14/0x34 arch/arm/kernel/entry-common.S:148)
Exception stack(0xdfb25fb0 to 0xdfb25ff8)
5fa0: 00000000 00000000 00000000 00000000
5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:80269a38 r4:84991a40
Rebooting in 86400 seconds..
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 4312098baf37 Merge tag 'spi-fix-v6.1-rc6' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e25bb5880000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1129081024ee340
dashboard link: https://syzkaller.appspot.com/bug?extid=210e196cef4711b65139
compiler: arm-linux-gnueabi-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+210e19...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7843 at net/nfc/nci/ntf.c:260 nci_add_new_protocol+0x268/0x30c net/nfc/nci/ntf.c:260
memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)
Modules linked in:
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 7843 Comm: kworker/u4:3 Not tainted 6.1.0-rc6-syzkaller #0
Hardware name: ARM-Versatile Express
Workqueue: nfc2_nci_rx_wq nci_rx_work
Backtrace:
[<81751624>] (dump_backtrace) from [<81751718>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:253)
r7:81cf8970 r6:822228ec r5:60000193 r4:81d06d58
[<81751700>] (show_stack) from [<8176d3e0>] (__dump_stack lib/dump_stack.c:88 [inline])
[<81751700>] (show_stack) from [<8176d3e0>] (dump_stack_lvl+0x48/0x54 lib/dump_stack.c:106)
[<8176d398>] (dump_stack_lvl) from [<8176d404>] (dump_stack+0x18/0x1c lib/dump_stack.c:113)
r5:00000000 r4:82445d14
[<8176d3ec>] (dump_stack) from [<817522c0>] (panic+0x11c/0x360 kernel/panic.c:274)
[<817521a4>] (panic) from [<80241604>] (__warn+0x98/0x1a4 kernel/panic.c:621)
r3:00000001 r2:00000000 r1:00000000 r0:81cf8970
r7:816e192c
[<8024156c>] (__warn) from [<817525a0>] (warn_slowpath_fmt+0x9c/0xd4 kernel/panic.c:651)
r8:00000009 r7:816e192c r6:00000104 r5:81ec7084 r4:81d20104
[<81752508>] (warn_slowpath_fmt) from [<816e192c>] (nci_add_new_protocol+0x268/0x30c net/nfc/nci/ntf.c:260)
r8:84f0b129 r7:dfb25e4c r6:00000002 r5:00000081 r4:84f0b0fc
[<816e16c4>] (nci_add_new_protocol) from [<816e2738>] (nci_add_new_target net/nfc/nci/ntf.c:306 [inline])
[<816e16c4>] (nci_add_new_protocol) from [<816e2738>] (nci_rf_discover_ntf_packet net/nfc/nci/ntf.c:378 [inline])
[<816e16c4>] (nci_add_new_protocol) from [<816e2738>] (nci_ntf_packet+0xaf8/0xe18 net/nfc/nci/ntf.c:792)
r8:00000001 r7:00000000 r6:84f0b000 r5:85202c00 r4:00000103
[<816e1c40>] (nci_ntf_packet) from [<816df268>] (nci_rx_work+0x70/0xe8 net/nfc/nci/core.c:1513)
r10:84851205 r9:81a4b84c r8:81ec67b8 r7:84f0b0a4 r6:84f0b070 r5:84f0b000
r4:85202c00
[<816df1f8>] (nci_rx_work) from [<802611c0>] (process_one_work+0x20c/0x5ac kernel/workqueue.c:2289)
r9:828e5c00 r8:00000100 r7:84851200 r6:8280e800 r5:85867500 r4:84f0b070
[<80260fb4>] (process_one_work) from [<802615cc>] (worker_thread+0x6c/0x4e0 kernel/workqueue.c:2436)
r10:8280e800 r9:00000088 r8:82204d40 r7:8280e81c r6:85867518 r5:8280e800
r4:85867500
[<80261560>] (worker_thread) from [<80269b24>] (kthread+0xec/0x11c kernel/kthread.c:376)
r10:00000000 r9:ed855e8c r8:852e8700 r7:85867500 r6:80261560 r5:828e5c00
r4:84991a40
[<80269a38>] (kthread) from [<80200100>] (ret_from_fork+0x14/0x34 arch/arm/kernel/entry-common.S:148)
Exception stack(0xdfb25fb0 to 0xdfb25ff8)
5fa0: 00000000 00000000 00000000 00000000
5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:80269a38 r4:84991a40
Rebooting in 86400 seconds..
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Kees Cook
Dec 2, 2022, 4:36:30 PM12/2/22
to Krzysztof Kozlowski, syzbot, da...@davemloft.net, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
On Sun, Nov 27, 2022 at 02:26:30PM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 4312098baf37 Merge tag 'spi-fix-v6.1-rc6' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12e25bb5880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b1129081024ee340
> dashboard link: https://syzkaller.appspot.com/bug?extid=210e196cef4711b65139
> compiler: arm-linux-gnueabi-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: arm
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+210e19...@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 7843 at net/nfc/nci/ntf.c:260 nci_add_new_protocol+0x268/0x30c net/nfc/nci/ntf.c:260
> memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)
This looks like a legitimate overflow flaw to me. Likely introduced with
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 4312098baf37 Merge tag 'spi-fix-v6.1-rc6' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12e25bb5880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b1129081024ee340
> dashboard link: https://syzkaller.appspot.com/bug?extid=210e196cef4711b65139
> compiler: arm-linux-gnueabi-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: arm
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+210e19...@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 7843 at net/nfc/nci/ntf.c:260 nci_add_new_protocol+0x268/0x30c net/nfc/nci/ntf.c:260
> memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)
commit 019c4fbaa790 ("NFC: Add NCI multiple targets support").
These appear to be explicitly filling fixed-size arrays:
struct nfc_target {
u32 idx;
u32 supported_protocols;
u16 sens_res;
u8 sel_res;
u8 nfcid1_len;
u8 nfcid1[NFC_NFCID1_MAXSIZE];
u8 nfcid2_len;
u8 nfcid2[NFC_NFCID2_MAXSIZE];
u8 sensb_res_len;
u8 sensb_res[NFC_SENSB_RES_MAXSIZE];
u8 sensf_res_len;
u8 sensf_res[NFC_SENSF_RES_MAXSIZE];
u8 hci_reader_gate;
u8 logical_idx;
u8 is_iso15693;
u8 iso15693_dsfid;
u8 iso15693_uid[NFC_ISO15693_UID_MAXSIZE];
};
static int nci_add_new_protocol(..., struct nfc_target *target, ...)
{
...
} else if (rf_tech_and_mode == NCI_NFC_B_PASSIVE_POLL_MODE) {
nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params;
target->sensb_res_len = nfcb_poll->sensb_res_len;
if (target->sensb_res_len > 0) {
memcpy(target->sensb_res, nfcb_poll->sensb_res,
target->sensb_res_len);
}
} else if (rf_tech_and_mode == NCI_NFC_F_PASSIVE_POLL_MODE) {
nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params;
target->sensf_res_len = nfcf_poll->sensf_res_len;
if (target->sensf_res_len > 0) {
memcpy(target->sensf_res, nfcf_poll->sensf_res,
target->sensf_res_len);
}
} else if (rf_tech_and_mode == NCI_NFC_V_PASSIVE_POLL_MODE) {
nfcv_poll = (struct rf_tech_specific_params_nfcv_poll *)params;
target->is_iso15693 = 1;
target->iso15693_dsfid = nfcv_poll->dsfid;
memcpy(target->iso15693_uid, nfcv_poll->uid, NFC_ISO15693_UID_MAXSIZE);
}
...
But the sizes are unbounds-checked, which means the buffers can be
overwritten (as seen with the syzkaller report).
Perhaps this to fix it?
diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index 282c51051dcc..3a79f07bfea7 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -240,6 +240,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
target->sens_res = nfca_poll->sens_res;
target->sel_res = nfca_poll->sel_res;
target->nfcid1_len = nfca_poll->nfcid1_len;
+ if (target->nfcid1_len > ARRAY_SIZE(target->target->nfcid1))
+ return -EPROTO;
if (target->nfcid1_len > 0) {
memcpy(target->nfcid1, nfca_poll->nfcid1,
target->nfcid1_len);
@@ -248,6 +250,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params;
target->sensb_res_len = nfcb_poll->sensb_res_len;
+ if (target->sensb_res_len > ARRAY_SIZE(target->sensb_res))
+ return -EPROTO;
if (target->sensb_res_len > 0) {
memcpy(target->sensb_res, nfcb_poll->sensb_res,
target->sensb_res_len);
@@ -256,6 +260,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params;
target->sensf_res_len = nfcf_poll->sensf_res_len;
+ if (target->sensf_res_len > ARRAY_SIZE(target->sensf_res))
+ return -EPROTO;
if (target->sensf_res_len > 0) {
memcpy(target->sensf_res, nfcf_poll->sensf_res,
target->sensf_res_len);
--
Kees Cook
Krzysztof Kozlowski
Dec 5, 2022, 2:57:51 AM12/5/22
to Kees Cook, syzbot, da...@davemloft.net, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
>
Best regards,
Krzysztof
Reply all
Reply to author
Forward
0 new messages