From: Oliver Neukum <oneukum@suse.com>
To: "Bjørn Mork" <bjorn@mork.no>,
syzbot <syzbot+0631d878823ce2411636@syzkaller.appspotmail.com>
Cc: davem@davemloft.net, glider@google.com,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: KMSAN: uninit-value in cdc_ncm_set_dgram_size
Date: Tue, 05 Nov 2019 12:15:16 +0100 [thread overview]
Message-ID: <1572952516.2921.6.camel@suse.com> (raw)
In-Reply-To: <87ftj32v6y.fsf@miraculix.mork.no>
Am Montag, den 04.11.2019, 22:22 +0100 schrieb Bjørn Mork:
> This looks like a false positive to me. max_datagram_size is two bytes
> declared as
>
> __le16 max_datagram_size;
>
> and the code leading up to the access on drivers/net/usb/cdc_ncm.c:587
> is:
>
> /* read current mtu value from device */
> err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
> USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
> 0, iface_no, &max_datagram_size, 2);
At this point err can be 1.
> if (err < 0) {
> dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
> goto out;
> }
>
> if (le16_to_cpu(max_datagram_size) == ctx->max_datagram_size)
>
>
>
> AFAICS, there is no way max_datagram_size can be uninitialized here.
> usbnet_read_cmd() either read 2 bytes into it or returned an error,
No. usbnet_read_cmd() will return the number of bytes transfered up
to the number requested or an error.
> causing the access to be skipped. Or am I missing something?
Yes. You can get half the MTU. We have a similar class of bugs
with MAC addresses.
Regards
Oliver
next prev parent reply other threads:[~2019-11-05 11:31 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-30 19:22 KMSAN: uninit-value in cdc_ncm_set_dgram_size syzbot
2019-11-04 21:22 ` Bjørn Mork
2019-11-05 11:15 ` Oliver Neukum [this message]
2019-11-05 12:25 ` Bjørn Mork
2019-11-05 13:51 ` Oliver Neukum
2019-11-05 13:55 ` Alexander Potapenko
2019-11-05 15:35 ` Greg Kroah-Hartman
2019-11-05 11:11 ` Oliver Neukum
2019-11-05 12:51 ` syzbot
2019-11-06 12:23 ` Oliver Neukum
2019-11-06 16:31 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1572952516.2921.6.camel@suse.com \
--to=oneukum@suse.com \
--cc=bjorn@mork.no \
--cc=davem@davemloft.net \
--cc=glider@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+0631d878823ce2411636@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.