| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YgD0Dln2R0dPJX/L@kroah.com>
Date: Mon, 7 Feb 2022 11:27:26 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: Pavel Skripkin <paskripkin@...il.com>
Cc: davem@...emloft.net, kuba@...nel.org, linux@...pel-privat.de,
andrew@...n.ch, oneukum@...e.com, robert.foss@...labora.com,
linux-usb@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzbot+6ca9f7867b77c2d316ac@...kaller.appspotmail.com,
Oleksij Rempel <o.rempel@...gutronix.de>
Subject: Re: [PATCH net-next] net: asix: add proper error handling of usb
read errors
On Sun, Feb 06, 2022 at 09:05:16PM +0300, Pavel Skripkin wrote:
> Syzbot once again hit uninit value in asix driver. The problem still the
> same -- asix_read_cmd() reads less bytes, than was requested by caller.
>
> Since all read requests are performed via asix_read_cmd() let's catch
> usb related error there and add __must_check notation to be sure all
> callers actually check return value.
>
> So, this patch adds sanity check inside asix_read_cmd(), that simply
> checks if bytes read are not less, than was requested and adds missing
> error handling of asix_read_cmd() all across the driver code.
>
> Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter")
> Reported-and-tested-by: syzbot+6ca9f7867b77c2d316ac@...kaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
> Tested-by: Oleksij Rempel <o.rempel@...gutronix.de>
> ---
>
> Changes since RFT:
> - Added Tested-by: tag
>
> ---
> drivers/net/usb/asix.h | 4 ++--
> drivers/net/usb/asix_common.c | 19 +++++++++++++------
> drivers/net/usb/asix_devices.c | 21 ++++++++++++++++++---
> 3 files changed, 33 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/net/usb/asix.h b/drivers/net/usb/asix.h
> index 2a1e31def..4334aafab 100644
> --- a/drivers/net/usb/asix.h
> +++ b/drivers/net/usb/asix.h
> @@ -192,8 +192,8 @@ extern const struct driver_info ax88172a_info;
> /* ASIX specific flags */
> #define FLAG_EEPROM_MAC (1UL << 0) /* init device MAC from eeprom */
>
> -int asix_read_cmd(struct usbnet *dev, u8 cmd, u16 value, u16 index,
> - u16 size, void *data, int in_pm);
> +int __must_check asix_read_cmd(struct usbnet *dev, u8 cmd, u16 value, u16 index,
> + u16 size, void *data, int in_pm);
>
> int asix_write_cmd(struct usbnet *dev, u8 cmd, u16 value, u16 index,
> u16 size, void *data, int in_pm);
> diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
> index 71682970b..524805285 100644
> --- a/drivers/net/usb/asix_common.c
> +++ b/drivers/net/usb/asix_common.c
> @@ -11,8 +11,8 @@
>
> #define AX_HOST_EN_RETRIES 30
>
> -int asix_read_cmd(struct usbnet *dev, u8 cmd, u16 value, u16 index,
> - u16 size, void *data, int in_pm)
> +int __must_check asix_read_cmd(struct usbnet *dev, u8 cmd, u16 value, u16 index,
> + u16 size, void *data, int in_pm)
> {
> int ret;
> int (*fn)(struct usbnet *, u8, u8, u16, u16, void *, u16);
> @@ -27,9 +27,12 @@ int asix_read_cmd(struct usbnet *dev, u8 cmd, u16 value, u16 index,
> ret = fn(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
> value, index, data, size);
>
> - if (unlikely(ret < 0))
> + if (unlikely(ret < size)) {
> + ret = ret < 0 ? ret : -ENODATA;
> +
Didn't I suggest using the proper USB core functions for this instead of
rolling your own functions? We now have usb_control_msg_read() and
usb_control_msg_send() that prevents this type of thing from happening.
Ah, it's a bit more tangled up than that it seems, the number of layers
of abstractions here is odd and deep. This change looks fine for now to
keep syzbot happy:
Reviewed-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Powered by blists - more mailing lists