On Tue, Nov 12, 2024 at 10:50:35AM +0530, Suraj Sonawane wrote: > Fix an issue detected by syzbot with KASAN: > > BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/ > core.c:416 [inline] > BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 > drivers/acpi/nfit/core.c:459 > > The issue occurs in `cmd_to_func` when the `call_pkg->nd_reserved2` > array is accessed without verifying that `call_pkg` points to a > buffer that is sized appropriately as a `struct nd_cmd_pkg`. This > could lead to out-of-bounds access and undefined behavior if the > buffer does not have sufficient space. > > To address this issue, a check was added in `acpi_nfit_ctl()` to > ensure that `buf` is not `NULL` and `buf_len` is greater than or > equal to `sizeof(struct nd_cmd_pkg)` before casting `buf` to > `struct nd_cmd_pkg *`. This ensures safe access to the members of > `call_pkg`, including the `nd_reserved2` array. > > This change preventing out-of-bounds reads. > > Reported-by: syzbot+7534f060ebda6b8b51b3@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3 > Tested-by: syzbot+7534f060ebda6b8b51b3@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 2d5404caa8c7 ("Linux 6.12-rc7") > Signed-off-by: Suraj Sonawane <surajsonawane0215@xxxxxxxxx> Suraj, The fixes tag needs to be where the issue originated, not where you discovered it (which I'm guessing was using 6.12-rc7). Here's how I find the tag: $ git blame drivers/acpi/nfit/core.c | grep call_pkg | grep buf ebe9f6f19d80d drivers/acpi/nfit/core.c (Dan Williams 2019-02-07 14:56:50 -0800 458) call_pkg = buf; $ git log -1 --pretty=fixes ebe9f6f19d80d Fixes: ebe9f6f19d80 ("acpi/nfit: Fix bus command validation") I think ^ should be your Fixes tag. snip >
