| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 04 Nov 2019 22:22:29 +0100
From: Bjørn Mork <bjorn@...k.no>
To: syzbot <syzbot+0631d878823ce2411636@...kaller.appspotmail.com>
Cc: davem@...emloft.net, glider@...gle.com,
linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
netdev@...r.kernel.org, oliver@...kum.org,
syzkaller-bugs@...glegroups.com
Subject: Re: KMSAN: uninit-value in cdc_ncm_set_dgram_size
syzbot <syzbot+0631d878823ce2411636@...kaller.appspotmail.com> writes:
> syzbot found the following crash on:
>
> HEAD commit: 96c6c319 net: kasan: kmsan: support CONFIG_GENERIC_CSUM on..
> git tree: https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=11f103bce00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9e324dfe9c7b0360
> dashboard link: https://syzkaller.appspot.com/bug?extid=0631d878823ce2411636
> compiler: clang version 9.0.0 (/home/glider/llvm/clang
> 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10dd9774e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13651a24e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+0631d878823ce2411636@...kaller.appspotmail.com
>
> =====================================================
> BUG: KMSAN: uninit-value in cdc_ncm_set_dgram_size+0x6ba/0xbc0
> drivers/net/usb/cdc_ncm.c:587
> CPU: 0 PID: 11865 Comm: kworker/0:3 Not tainted 5.4.0-rc5+ #0
> Hardware name: Google Google Compute Engine/Google Compute Engine,
> BIOS Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x191/0x1f0 lib/dump_stack.c:113
> kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
> __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:245
> cdc_ncm_set_dgram_size+0x6ba/0xbc0 drivers/net/usb/cdc_ncm.c:587
..
> Variable was created at:
> cdc_ncm_set_dgram_size+0xf5/0xbc0 drivers/net/usb/cdc_ncm.c:564
> cdc_ncm_set_dgram_size+0xf5/0xbc0 drivers/net/usb/cdc_ncm.c:564
> =====================================================
This looks like a false positive to me. max_datagram_size is two bytes
declared as
__le16 max_datagram_size;
and the code leading up to the access on drivers/net/usb/cdc_ncm.c:587
is:
/* read current mtu value from device */
err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
0, iface_no, &max_datagram_size, 2);
if (err < 0) {
dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
goto out;
}
if (le16_to_cpu(max_datagram_size) == ctx->max_datagram_size)
AFAICS, there is no way max_datagram_size can be uninitialized here.
usbnet_read_cmd() either read 2 bytes into it or returned an error,
causing the access to be skipped. Or am I missing something?
I tried to read the syzbot manual to figure out how to tell this to the
bot, but couldn't find that either. Not my day today it seems ;-)
Please let me know what to do about this.
Bjørn
Powered by blists - more mailing lists