| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Aug 2019 12:16:04 +0200
From: Oliver Neukum <oneukum@...e.com>
To: Andrey Konovalov <andreyknvl@...gle.com>
Cc: "David S. Miller" <davem@...emloft.net>,
Alexander Potapenko <glider@...gle.com>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
steve.glendinning@...well.net,
syzbot <syzbot+6966546b78d050bb0b5d@...kaller.appspotmail.com>,
LKML <linux-kernel@...r.kernel.org>,
USB list <linux-usb@...r.kernel.org>,
netdev <netdev@...r.kernel.org>
Subject: Re: KMSAN: uninit-value in smsc75xx_bind
Am Dienstag, den 13.08.2019, 17:08 +0200 schrieb Andrey Konovalov:
> On Tue, Aug 13, 2019 at 2:43 PM Oliver Neukum <oneukum@...e.com> wrote:
> >
> >
> > Hi,
> >
> > this looks like a false positive to me.
> > The offending code is likely this:
> >
> > if (size) {
> > buf = kmalloc(size, GFP_KERNEL);
> > if (!buf)
> > goto out;
> > }
> >
> > err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
> > cmd, reqtype, value, index, buf, size,
> > USB_CTRL_GET_TIMEOUT);
> >
> > which uses 'buf' uninitialized. But it is used for input.
> > What is happening here?
>
> AFAICS, the uninitialized use of buf that KMSAN points out is in the
> "if (buf & PMT_CTL_DEV_RDY)" statement in smsc75xx_wait_ready(). Does
> __smsc75xx_read_reg/usb_control_msg() always initialize buf? Can it
> just initialize the first few bytes for example?
>
Hi,
you are unfortunately right and this is not the only driver vulnerable
in this way. I am going through them.
Regards
Oliver
Powered by blists - more mailing lists