| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 May 2022 19:51:12 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: David Kahurani <k.kahurani@...il.com>, netdev@...r.kernel.org
Cc: syzbot+d3dbdf31fbe9d8f5f311@...kaller.appspotmail.com,
davem@...emloft.net, jgg@...pe.ca, kuba@...nel.org,
linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
phil@...lpotter.co.uk, syzkaller-bugs@...glegroups.com,
arnd@...db.de, dan.carpenter@...cle.com
Subject: Re: [PATCH] net: ax88179: add proper error handling of usb read
errors
Hi David,
On 5/14/22 16:32, David Kahurani wrote:
> Reads that are lesser than the requested size lead to uninit-value bugs.
> In this particular case a variable which was supposed to be initialized
> after a read is left uninitialized after a partial read.
>
> Qualify such reads as errors and handle them correctly and while at it
> convert the reader functions to return zero on success for easier error
> handling.
>
> Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
> Signed-off-by: David Kahurani <k.kahurani@...il.com>
> Reported-and-tested-by: syzbot+d3dbdf31fbe9d8f5f311@...kaller.appspotmail.com
> ---
<--- here (*)
> drivers/net/usb/ax88179_178a.c | 281 ++++++++++++++++++++++++++-------
> 1 file changed, 227 insertions(+), 54 deletions(-)
>
I don't see any error in that patch, but I had to find previous versions
of that patch in my inbox.
Usually new versions of single patches are linked in one thread and have
a version number in a title. You can generate patch with version using
-v option of git format-patch like:
$ git format-patch -v2 HEAD~
And you can send new version as reply using --in-reply= option of git
send-email. It helps a lot with finding previous version, since all
version are linked in one thread
And all updates from version to version should be put under --- (*),
since it's hard to remember why previous version was rejected.
> jtimeout = jiffies + delay;
> do {
> - ax88179_read_cmd(dev, AX_ACCESS_MAC, AX_SROM_CMD,
> - 1, 1, &buf);
> + ret = ax88179_read_cmd(dev, AX_ACCESS_MAC, AX_SROM_CMD,
> + 1, 1, &buf);
> + if (ret) {
> + netdev_dbg(dev->net,
> + "Failed to read SROM_CMD: %d\n",
> + ret);
> + return ret;
> + }
>
> if (time_after(jiffies, jtimeout))
> return -EINVAL;
>
> } while (buf & EEP_BUSY);
I think, this change might be dangerous. Maybe it should be done in the
same way as in asix driver [1]. Code polls for some register after a
write and maybe non-fatal read error might occur here.
Just my thoughts, I don't know anything about that device :)
> + ret = ax88179_read_cmd(dev, AX_ACCESS_MAC, AX_NODE_ID, ETH_ALEN,
> + ETH_ALEN, mac);
> +
> + if (ret)
> + netdev_dbg(dev->net, "Failed to read NODE_ID: %d", ret);
> + else
> + netif_dbg(dev, ifup, dev->net,
> + "MAC address read from ASIX chip");
Maybe also use `netif_dbg` here?... There should be a reason why it was
used here in the first place. Or should not :)
Anyway, if someone will say that bailing out from while loop on any
error is OK feel free to add
Reviewed-by: Pavel Skripkin <paskripkin@...il.com>
[1]
https://elixir.bootlin.com/linux/latest/source/drivers/net/usb/asix_common.c#L78
With regards,
Pavel Skripkin
Download attachment "OpenPGP_signature" of type "application/pgp-signature" (841 bytes)
Powered by blists - more mailing lists