lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <68484555-f763-bc42-eb4c-9cea2ee8dadb@gmail.com>
Date:   Thu, 14 Apr 2022 23:12:19 +0300
From:   Pavel Skripkin <paskripkin@...il.com>
To:     Wang Cheng <wanngchenng@...il.com>, Larry.Finger@...inger.net,
        florian.c.schilhabel@...glemail.com, gregkh@...uxfoundation.org
Cc:     linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] staging: rtl8712: fix uninit-value "data" and "mac"

Hi Wang,

On 4/14/22 17:12, Wang Cheng wrote:
> Due to the case that "requesttype == 0x01 && status <= 0"
> isn't handled in r8712_usbctrl_vendorreq(),
> "data" (drivers/staging/rtl8712/usb_ops.c:32)
> will be returned without initialization.
> 
> When "tmpU1b" (drivers/staging/rtl8712/usb_intf.c:395)
> is 0, mac[6] (usb_intf.c:394) won't be initialized,
> which leads to accessing uninit-value on usb_intf.c:541.
> 
> Reported-and-tested-by: syzbot+6f5ecd144854c0d8580b@...kaller.appspotmail.com
> Signed-off-by: Wang Cheng <wanngchenng@...il.com>

This patch will just hide the problematic API in that driver. Correct 
fix is changing usb_control_msg to usb_control_msg_{recv,send}.

IIRC this driver does not want read various length requests, so it 
should be fine




With regards,
Pavel Skripkin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ