From nobody Sun Dec 14 12:17:23 2025 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24F294C6C for ; Sun, 14 Dec 2025 00:17:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765671422; cv=none; b=GirwaewTVxrSVEmR1ru3QbkG9NX9m3AXaZ3bevz9hd6KmGgwQ3Uc+rV8QqBtlhtnBqa50ek0esAns4tr1VCJYRyVWixe8WwChQbDlvSNEeOzRP1NzYrHkgizE77PyNL3Zn14+X8Ea8kqIhQ01jhaQMQer/bQo8LmX0xjqOslZz4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765671422; c=relaxed/simple; bh=4YnEvx2T6wIO+k4WvLZdUk0ePYrHjCLTLqetUiCY3HQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=RSIlgllfTfeeC2+wrhBZ7quDBQNNaB7HqSPNWjgWskAy+hfnRM20c/8dYLe2O5YqPQ7iyn2/nNfyUekv+aC4lG1s16M5z0Fs2YtgeafWmRZUONnE2fHfQMjAnIOUgJ8A/TTezCFUIwxXZ9BzVKX+KFqbsdqejTKfFHiap5epVtk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WdG15sA4; arc=none smtp.client-ip=209.85.216.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WdG15sA4" Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-34c3259da34so868404a91.2 for ; Sat, 13 Dec 2025 16:17:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765671420; x=1766276220; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=SXb+PpQxABhg5OSvFmLR0g0fj9WnLmBsWI+vQOQf3z8=; b=WdG15sA4A7A7aPrFFc3sLoB6Vmw+yYCy4U6Rv1dQvYwjYV54kKayP5jZfVnk7Xt6c7 q01tcBcdUNnq4g616MTUFJL66uPDUYZhxzQyKb0z5D4n+NORMZGPCHmZVh+xmcKR6lhA vgbHJpf/QooXqSeXQl/GVPj4y4/MmxwoJe3vFoG48XswrpJjR7fNnnL+ty9v9iEmHeJ3 Hku45/J7vU+bDZmKNxWWIjD4UCH1Akjg+42bUXRgmsMwT7wKUuHZLtOTdyZA6E16PLAg Ychf1QlT9c1fyp14Hnqjri7YeL/6YMSazJfP9vppf28W25NH3STFl6OHeHU2v6381B6H /0zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765671420; x=1766276220; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=SXb+PpQxABhg5OSvFmLR0g0fj9WnLmBsWI+vQOQf3z8=; b=hTbYE1iXEtrULQEE7zKz7W9qiWtQ61e1O+8Z0zJRsC3m9d5GNwuFrKbBSZrxwQhO27 rOGxmUq54hpZbAu8hGzDnm4wk+zZx5L1jXz2+hgkEOxW46oC1J5B2bKZ5faMPZkZt7dp YH0PuOSBo2aTAy2q17Kc0dZCVrT7jY0cxGMPRKUMELT8YOw2wJr7Ft/tqLjAe/s8QBH7 Ue+loLaj5Jc7YC6pRyFf+Uhn2NNykMMsrXmQgs69fDcfiNwlNSf4rknSkjjoErop3lo6 StqtIQqSScBYTwbcyU9toMeiKaVnelu+YvlhC5EvKof/O62nKJlbX/DH2sfPb4E+YEgM JdRg== X-Forwarded-Encrypted: i=1; AJvYcCUSv81vivCqGYp46+vJvlhItAA2+cMKq18E5wCx3dFx2sXALMf8+Mx0+uwPYGyNkQP3aVxMzB5R+X9n3Ng=@vger.kernel.org X-Gm-Message-State: AOJu0YxM6Xlk//j/zk4GTGLznCcPij+lIzHgfoP8xG+446+3uUTedhkq 9uoiDaPIN547Ekz1Bjwu+IowmYPVs7KcIyvr/OWuGM2LxAg3h0F4sQ+y X-Gm-Gg: AY/fxX41N2efviet5AUloYl4G685fKO4rhR/tq4sT11qQZEVxeQN+CsXc9CistKEazn i4+ut8x/+WJc9AeeJJ070i5kcyK/HfusyYvVC+FrbvwjC7PDqakZWyoYkj07xdraffVpBXKiPJu lXVCYhiyvG/YDpIvnRkIEqwkAGf0omfGa4Zu0GIK5JBXa4VLEE+/SKmPG17Rf43X2SDOkSFWoSu 4OnQuBE3bK4JuEZS6NTAE0+VQ/MJ13QLYYAT1QngvSsYJRdxwj773Uf/50dqCt1DL4+gt02nXII ww5+dMLJo96I+1uY8AGN84vyXW2HK4oeC3gz3ke4+Xk1diJnPu1gVQdXUfza6UMFluwMqMkdFCU ojZs7MReQyNUbWDWoOxXoblWLVAp0VOkjdysGK7+rH8XKJntfVESHBhzm+9dEIVqEcavPfhnN0n HEOhQhV+gEw4WYboBHocDEC0R5Tug2yHnmKF+dG/g= X-Google-Smtp-Source: AGHT+IEkbvehZPfODyds5PjOrUhsAgbJg/nqkZZGsbOgiCeo9uXm0nw94C/8hUoQCovwSJ1Mg9OSIg== X-Received: by 2002:a17:90b:2749:b0:33b:ba50:fccc with SMTP id 98e67ed59e1d1-34abe477fc1mr5621266a91.18.1765671420426; Sat, 13 Dec 2025 16:17:00 -0800 (PST) Received: from localhost.localdomain ([202.164.139.255]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34abe216c54sm5212504a91.7.2025.12.13.16.16.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 13 Dec 2025 16:17:00 -0800 (PST) Received: (nullmailer pid 1127174 invoked by uid 1000); Sun, 14 Dec 2025 00:14:10 -0000 From: Kathara Sasikumar To: alex.aring@gmail.com, stefan@datenfreihafen.org, miquel.raynal@bootlin.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, linux-wpan@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, shuah@kernel.org, skhan@linuxfoundation.org, Kathara Sasikumar , syzbot+60a66d44892b66b56545@syzkaller.appspotmail.com Subject: [PATCH] mac802154: fix uninitialized security header fields Date: Sun, 14 Dec 2025 00:13:39 +0000 Message-ID: <20251214001338.1127132-2-katharasasikumar007@gmail.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" KMSAN reported an uninitialized-value access in ieee802154_hdr_push_sechdr(). This happened because mac802154_set_header_security() allowed frames with cb->secen=3D1 but LLSEC disabled when secen_override=3D0, leaving parts of the security header uninitialized. Fix the validation so security-enabled frames are rejected whenever LLSEC is disabled, regardless of secen_override. Also clear the full header struct in the header creation functions to avoid partial initialization. Reported-by: syzbot+60a66d44892b66b56545@syzkaller.appspotmail.com Tested-by: syzbot+60a66d44892b66b56545@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D60a66d44892b66b56545 Signed-off-by: Kathara Sasikumar --- net/mac802154/iface.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c index 9e4631fade90..a1222c1b62b3 100644 --- a/net/mac802154/iface.c +++ b/net/mac802154/iface.c @@ -328,8 +328,14 @@ static int mac802154_set_header_security(struct ieee80= 2154_sub_if_data *sdata, =20 mac802154_llsec_get_params(&sdata->sec, ¶ms); =20 - if (!params.enabled && cb->secen_override && cb->secen) - return -EINVAL; + if (!cb->secen_override) { + if (!params.enabled) + return 0; + } else { + if (cb->secen && !params.enabled) + return -EINVAL; + } + if (!params.enabled || (cb->secen_override && !cb->secen) || !params.out_level) @@ -366,7 +372,7 @@ static int ieee802154_header_create(struct sk_buff *skb, if (!daddr) return -EINVAL; =20 - memset(&hdr.fc, 0, sizeof(hdr.fc)); + memset(&hdr, 0, sizeof(hdr)); hdr.fc.type =3D cb->type; hdr.fc.security_enabled =3D cb->secen; hdr.fc.ack_request =3D cb->ackreq; @@ -432,7 +438,7 @@ static int mac802154_header_create(struct sk_buff *skb, if (!daddr) return -EINVAL; =20 - memset(&hdr.fc, 0, sizeof(hdr.fc)); + memset(&hdr, 0, sizeof(hdr)); hdr.fc.type =3D IEEE802154_FC_TYPE_DATA; hdr.fc.ack_request =3D wpan_dev->ackreq; hdr.seq =3D atomic_inc_return(&dev->ieee802154_ptr->dsn) & 0xFF; --=20 2.51.0