lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <875zjy33z2.fsf@miraculix.mork.no>
Date:   Tue, 05 Nov 2019 13:25:05 +0100
From:   Bjørn Mork <bjorn@...k.no>
To:     Oliver Neukum <oneukum@...e.com>
Cc:     syzbot <syzbot+0631d878823ce2411636@...kaller.appspotmail.com>,
        davem@...emloft.net, glider@...gle.com,
        linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
        netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: KMSAN: uninit-value in cdc_ncm_set_dgram_size

Oliver Neukum <oneukum@...e.com> writes:
> Am Montag, den 04.11.2019, 22:22 +0100 schrieb Bjørn Mork:
>> This looks like a false positive to me. max_datagram_size is two bytes
>> declared as
>> 
>>         __le16 max_datagram_size;
>> 
>> and the code leading up to the access on drivers/net/usb/cdc_ncm.c:587
>> is:
>> 
>>         /* read current mtu value from device */
>>         err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
>>                               USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
>>                               0, iface_no, &max_datagram_size, 2);
>
> At this point err can be 1.
>
>>         if (err < 0) {
>>                 dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
>>                 goto out;
>>         }
>> 
>>         if (le16_to_cpu(max_datagram_size) == ctx->max_datagram_size)
>> 
>> 
>> 
>> AFAICS, there is no way max_datagram_size can be uninitialized here.
>> usbnet_read_cmd() either read 2 bytes into it or returned an error,
>
> No. usbnet_read_cmd() will return the number of bytes transfered up
> to the number requested or an error.

Ah, OK. So that could be fixed with e.g.

  if (err < 2)
       goto out;


Or would it be better to add a strict length checking variant of this
API?  There are probably lots of similar cases where we expect a
multibyte value and a short read is (or should be) considered an error.
I can't imagine any situation where we want a 2, 4, 6 or 8 byte value
and expect a flexible length returned.

>> causing the access to be skipped.  Or am I missing something?
>
> Yes. You can get half the MTU. We have a similar class of bugs
> with MAC addresses.

Right.  And probably all 16 or 32 bit integer reads...

Looking at the NCM spec, I see that the wording is annoyingly flexible
wrt length - both ways.  E.g for GetNetAddress:

  To get the entire network address, the host should set wLength to at
  least 6. The function shall never return more than 6 bytes in response
  to this command.

Maybe the correct fix is simply to let usbnet_read_cmd() initialize the
full buffer regardless of what the device returns?  I.e.

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index dde05e2fdc3e..df3efafca450 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1982,7 +1982,7 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
                   cmd, reqtype, value, index, size);
 
        if (size) {
-               buf = kmalloc(size, GFP_KERNEL);
+               buf = kzalloc(size, GFP_KERNEL);
                if (!buf)
                        goto out;
        }
@@ -1992,7 +1992,7 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
                              USB_CTRL_GET_TIMEOUT);
        if (err > 0 && err <= size) {
         if (data)
-            memcpy(data, buf, err);
+            memcpy(data, buf, size);
         else
             netdev_dbg(dev->net,
                 "Huh? Data requested but thrown away.\n");




What do you think?

Personally, I don't think it makes sense for a device to return a 1-byte
mtu or 3-byte mac address. But the spec allows it and this would at
least make it safe.

We have a couple of similar bugs elsewhere in the same driver, BTW..


Bjørn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ