[PATCH] wireless/nl80211.c: fix uninitialized variable

[Alaa Emad]

Reported-by: syzbot+72b99d...@syzkaller.appspotmail.com
Signed-off-by: Alaa Emad <alaaemadh...@gmail.com>
---
net/wireless/nl80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 775d0c4d86c3..b87ab67ad33d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -210,7 +210,7 @@ static int validate_beacon_head(const struct nlattr *attr,
const struct element *elem;
const struct ieee80211_mgmt *mgmt = (void *)data;
bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
- unsigned int fixedlen, hdrlen;
+ unsigned int fixedlen = 0, hdrlen;

if (s1g_bcn) {
fixedlen = offsetof(struct ieee80211_ext,
--
2.25.1

[Greg KH]

On Mon, Mar 29, 2021 at 06:30:36PM +0200, Alaa Emad wrote:
> Reported-by: syzbot+72b99d...@syzkaller.appspotmail.com
> Signed-off-by: Alaa Emad <alaaemadh...@gmail.com>

You need to provide some changelog text here, I know I can not take
patches without that, maybe the wireless maintainer is more flexible :)

thanks,

greg k-h

[Alaa Emad]

  you mean explain what i did , right?

thanks,

greg k-h

[Greg KH]

Yes, explain why this change is needed.

thanks,

greg k-h

[Alaa Emad]

 

  This change fix  KMSAN uninit-value in net/wireless/nl80211.c:225 , That because of `fixedlen` variable uninitialized.

   So I initialized it by zero because the code assigned value to it after that and doesn't depend on any stored value in it .

thanks,

greg k-h

Thanks ,

Alaa

[Pavel Skripkin]

Hi!

You should add this message to the patch, not just write it to
maintainer.

I think, this link might be
useful https://www.kernel.org/doc/html/v4.17/process/submitting-patches.html

> >
> > thanks,
> >
> > greg k-h
> >
>
>
>
> Thanks ,
> Alaa

> --
> You received this message because you are subscribed to the Google
> Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller/CAM1DhOjWgN_0GVBeX%2Bpf%2B9mk_ysaN9pF4agAFUNEkzhxpFR4%3Dw%40mail.gmail.com
> .

With regards,
Pavel Skripkin

[Alaa Emad]

I see , Thank you

[Alaa Emad]

This change fix KMSAN uninit-value in net/wireless/nl80211.c:225 , That

because of `fixedlen` variable uninitialized,So I initialized it by zero.

Reported-by: syzbot+72b99d...@syzkaller.appspotmail.com
Signed-off-by: Alaa Emad <alaaemadh...@gmail.com>

---
Changes in v2:
- Make the commit message more clearer.

---
net/wireless/nl80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 775d0c4d86c3..b87ab67ad33d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -210,7 +210,7 @@ static int validate_beacon_head(const struct nlattr *attr,
const struct element *elem;
const struct ieee80211_mgmt *mgmt = (void *)data;
bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
- unsigned int fixedlen, hdrlen;

+ unsigned int fixedlen = 0 , hdrlen;

[Greg KH]

Please always use scripts/checkpatch.pl before sending out patches. It
would have pointed out that this line is incorrect and needs to be fixed
up :(

thanks,

greg k-h

[Alaa Emad]

  Okay , will do that

thanks,

greg k-h

[Alaa Emad]

This change fix KMSAN uninit-value in net/wireless/nl80211.c:225 , That
because of `fixedlen` variable uninitialized,So I initialized it by zero.

Reported-by: syzbot+72b99d...@syzkaller.appspotmail.com
Signed-off-by: Alaa Emad <alaaemadh...@gmail.com>
---
Changes in v2:
- Make the commit message more clearer.
---
net/wireless/nl80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 775d0c4d86c3..b87ab67ad33d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -210,7 +210,7 @@ static int validate_beacon_head(const struct nlattr *attr,
const struct element *elem;
const struct ieee80211_mgmt *mgmt = (void *)data;
bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
- unsigned int fixedlen, hdrlen;

+ unsigned int fixedlen = 0, hdrlen;

[Alaa Emad]

On Tue, 30 Mar 2021 at 19:15, Greg KH <gre...@linuxfoundation.org> wrote:

Should the patch be version three?

thanks,

greg k-h

[Eric Dumazet]

What was the report exactly ?

Current code does :

unsigned int fixedlen;

if (s1g_bcn) {
fixedlen = something1;
...
else {
fixedlen = something2;
...
}

So your patch does nothing.

Initial value of @fixedlen is not relevant.

Reading this code (without access to KMSAN report) I suspect the issue
is more like the following :

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 775d0c4d86c3..d815261917ff 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -209,9 +209,12 @@ static int validate_beacon_head(const struct nlattr *attr,
unsigned int len = nla_len(attr);

const struct element *elem;
const struct ieee80211_mgmt *mgmt = (void *)data;

- bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
unsigned int fixedlen, hdrlen;
+ bool s1g_bcn;

+ if (len < offsetofend(typeof(*mgmt), frame_control))
+ goto err;
+ s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);

if (s1g_bcn) {
fixedlen = offsetof(struct ieee80211_ext,

u.s1g_beacon.variable);

[Alaa Emad]

  https://syzkaller.appspot.com/bug?extid=72b99dcf4607e8c770f3

[Alaa Emad]

On Tue, 30 Mar 2021 at 21:26, Eric Dumazet <eric.d...@gmail.com> wrote:

you mean this patch have already landed? as i don't find it : https://github.com/google/kmsan/blob/master/net/wireless/nl80211.c#L213