mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 14:44:12 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/net/usb
History
Shigeru Yoshida cda10784a1 net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg 
[ Upstream commit e9c6598992 ]

syzbot reported the following uninit-value access issue:

=====================================================
BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]
BUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482
CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
 smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]
 smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482
 usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737
 usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374
 really_probe+0xf20/0x20b0 drivers/base/dd.c:529
 driver_probe_device+0x293/0x390 drivers/base/dd.c:701
 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
 usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032
 usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241
 usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272
 really_probe+0xf20/0x20b0 drivers/base/dd.c:529
 driver_probe_device+0x293/0x390 drivers/base/dd.c:701
 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
 usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554
 hub_port_connect drivers/usb/core/hub.c:5208 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]
 port_event drivers/usb/core/hub.c:5494 [inline]
 hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Local variable ----buf.i87@smsc75xx_bind created at:
 __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
 smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]
 smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482
 __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
 smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]
 smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482

This issue is caused because usbnet_read_cmd() reads less bytes than requested
(zero byte in the reproducer). In this case, 'buf' is not properly filled.

This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads
less bytes than requested.

Fixes: d0cad87170 ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
Reported-and-tested-by: syzbot+6966546b78d050bb0b5d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6966546b78d050bb0b5d
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20230923173549.3284502-1-syoshida@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-10-10 21:59:07 +02:00
..
aqc111.c
aqc111.h
asix.h
asix_common.c
asix_devices.c
ax88172a.c
ax88179_178a.c
catc.c
cdc-phonet.c
cdc_eem.c
cdc_ether.c USB: zaurus: Add ID for A-300/B-500/C-700 2023-08-11 15:13:55 +02:00
cdc_mbim.c net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 2023-03-30 12:47:54 +02:00
cdc_ncm.c net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize 2023-05-30 13:55:30 +01:00
cdc_subset.c
ch9200.c
cx82310_eth.c
dm9601.c
gl620a.c
hso.c
huawei_cdc_ncm.c
int51x1.c
ipheth.c
kalmia.c net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path 2023-02-22 12:57:09 +01:00
kaweth.c
Kconfig
lan78xx.c net: lan78xx: fix accessing the LAN7800's internal phy specific registers from the MAC driver 2023-03-17 08:48:54 +01:00
lan78xx.h
lg-vl600.c
Makefile
mcs7830.c
net1080.c
pegasus.c
pegasus.h
plusb.c net: USB: Fix wrong-direction WARNING in plusb.c 2023-02-14 19:18:02 +01:00
qmi_wwan.c net: usb: qmi_wwan: add Quectel EM05GV2 2023-09-19 12:22:28 +02:00
r8152.c r8152: check budget for r8152_poll() 2023-09-19 12:23:03 +02:00
r8153_ecm.c
rndis_host.c usb: rndis_host: Secure rndis_query check against int overflow 2023-01-12 11:59:16 +01:00
rtl8150.c
sierra_net.c
smsc75xx.c net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg 2023-10-10 21:59:07 +02:00
smsc75xx.h
smsc95xx.c net: usb: smsc95xx: Limit packet length to skb->len 2023-03-30 12:47:45 +02:00
smsc95xx.h
sr9700.c net: usb: sr9700: Handle negative len 2023-02-01 08:27:10 +01:00
sr9700.h
sr9800.c
sr9800.h
usbnet.c net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb 2023-08-11 15:13:58 +02:00
zaurus.c USB: zaurus: Add ID for A-300/B-500/C-700 2023-08-11 15:13:55 +02:00