KMSAN reported an uninitialized-value access in ieee802154_hdr_push_sechdr(). This happened because mac802154_set_header_security() allowed frames with cb->secen=1 but LLSEC disabled when secen_override=0, leaving parts of the security header uninitialized.
Fix the validation so security-enabled frames are rejected whenever LLSEC is disabled, regardless of secen_override. Also clear the full header struct in the header creation functions to avoid partial initialization. Reported-by: [email protected] Tested-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=60a66d44892b66b56545 Signed-off-by: Kathara Sasikumar <[email protected]> --- net/mac802154/iface.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c index 9e4631fade90..a1222c1b62b3 100644 --- a/net/mac802154/iface.c +++ b/net/mac802154/iface.c @@ -328,8 +328,14 @@ static int mac802154_set_header_security(struct ieee802154_sub_if_data *sdata, mac802154_llsec_get_params(&sdata->sec, ¶ms); - if (!params.enabled && cb->secen_override && cb->secen) - return -EINVAL; + if (!cb->secen_override) { + if (!params.enabled) + return 0; + } else { + if (cb->secen && !params.enabled) + return -EINVAL; + } + if (!params.enabled || (cb->secen_override && !cb->secen) || !params.out_level) @@ -366,7 +372,7 @@ static int ieee802154_header_create(struct sk_buff *skb, if (!daddr) return -EINVAL; - memset(&hdr.fc, 0, sizeof(hdr.fc)); + memset(&hdr, 0, sizeof(hdr)); hdr.fc.type = cb->type; hdr.fc.security_enabled = cb->secen; hdr.fc.ack_request = cb->ackreq; @@ -432,7 +438,7 @@ static int mac802154_header_create(struct sk_buff *skb, if (!daddr) return -EINVAL; - memset(&hdr.fc, 0, sizeof(hdr.fc)); + memset(&hdr, 0, sizeof(hdr)); hdr.fc.type = IEEE802154_FC_TYPE_DATA; hdr.fc.ack_request = wpan_dev->ackreq; hdr.seq = atomic_inc_return(&dev->ieee802154_ptr->dsn) & 0xFF; -- 2.51.0
