| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 05 Nov 2019 13:25:05 +0100
From: Bjørn Mork <bjorn@...k.no>
To: Oliver Neukum <oneukum@...e.com>
Cc: syzbot <syzbot+0631d878823ce2411636@...kaller.appspotmail.com>,
davem@...emloft.net, glider@...gle.com,
linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: KMSAN: uninit-value in cdc_ncm_set_dgram_size
Oliver Neukum <oneukum@...e.com> writes:
> Am Montag, den 04.11.2019, 22:22 +0100 schrieb Bjørn Mork:
>> This looks like a false positive to me. max_datagram_size is two bytes
>> declared as
>>
>> __le16 max_datagram_size;
>>
>> and the code leading up to the access on drivers/net/usb/cdc_ncm.c:587
>> is:
>>
>> /* read current mtu value from device */
>> err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
>> USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
>> 0, iface_no, &max_datagram_size, 2);
>
> At this point err can be 1.
>
>> if (err < 0) {
>> dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
>> goto out;
>> }
>>
>> if (le16_to_cpu(max_datagram_size) == ctx->max_datagram_size)
>>
>>
>>
>> AFAICS, there is no way max_datagram_size can be uninitialized here.
>> usbnet_read_cmd() either read 2 bytes into it or returned an error,
>
> No. usbnet_read_cmd() will return the number of bytes transfered up
> to the number requested or an error.
Ah, OK. So that could be fixed with e.g.
if (err < 2)
goto out;
Or would it be better to add a strict length checking variant of this
API? There are probably lots of similar cases where we expect a
multibyte value and a short read is (or should be) considered an error.
I can't imagine any situation where we want a 2, 4, 6 or 8 byte value
and expect a flexible length returned.
>> causing the access to be skipped. Or am I missing something?
>
> Yes. You can get half the MTU. We have a similar class of bugs
> with MAC addresses.
Right. And probably all 16 or 32 bit integer reads...
Looking at the NCM spec, I see that the wording is annoyingly flexible
wrt length - both ways. E.g for GetNetAddress:
To get the entire network address, the host should set wLength to at
least 6. The function shall never return more than 6 bytes in response
to this command.
Maybe the correct fix is simply to let usbnet_read_cmd() initialize the
full buffer regardless of what the device returns? I.e.
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index dde05e2fdc3e..df3efafca450 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1982,7 +1982,7 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
cmd, reqtype, value, index, size);
if (size) {
- buf = kmalloc(size, GFP_KERNEL);
+ buf = kzalloc(size, GFP_KERNEL);
if (!buf)
goto out;
}
@@ -1992,7 +1992,7 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
USB_CTRL_GET_TIMEOUT);
if (err > 0 && err <= size) {
if (data)
- memcpy(data, buf, err);
+ memcpy(data, buf, size);
else
netdev_dbg(dev->net,
"Huh? Data requested but thrown away.\n");
What do you think?
Personally, I don't think it makes sense for a device to return a 1-byte
mtu or 3-byte mac address. But the spec allows it and this would at
least make it safe.
We have a couple of similar bugs elsewhere in the same driver, BTW..
Bjørn
Powered by blists - more mailing lists