From: Petko Manolov <petko.manolov@konsulko.com>
To: Anant Thazhemadam <anant.thazhemadam@gmail.com>
Cc: Petko Manolov <petkan@nucleusys.com>,
syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com,
netdev@vger.kernel.org, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org, Jakub Kicinski <kuba@kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [Linux-kernel-mentees] [PATCH] net: usb: rtl8150: prevent set_ethernet_addr from setting uninit address
Date: Tue, 29 Sep 2020 11:47:52 +0300 [thread overview]
Message-ID: <20200929084752.GA8101@carbon> (raw)
In-Reply-To: <20200929082028.50540-1-anant.thazhemadam@gmail.com>
On 20-09-29 13:50:28, Anant Thazhemadam wrote:
> When get_registers() fails (which happens when usb_control_msg() fails)
> in set_ethernet_addr(), the uninitialized value of node_id gets copied
> as the address.
>
> Checking for the return values appropriately, and handling the case
> wherein set_ethernet_addr() fails like this, helps in avoiding the
> mac address being incorrectly set in this manner.
>
> Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
> Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
> ---
> drivers/net/usb/rtl8150.c | 24 ++++++++++++++++--------
> 1 file changed, 16 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
> index 733f120c852b..e542a9ab2ff8 100644
> --- a/drivers/net/usb/rtl8150.c
> +++ b/drivers/net/usb/rtl8150.c
> @@ -150,7 +150,7 @@ static const char driver_name [] = "rtl8150";
> ** device related part of the code
> **
> */
> -static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
> +static int get_registers(rtl8150_t *dev, u16 indx, u16 size, void *data)
> {
> void *buf;
> int ret;
> @@ -274,12 +274,17 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg)
> return 1;
> }
>
> -static inline void set_ethernet_addr(rtl8150_t * dev)
> +static bool set_ethernet_addr(rtl8150_t *dev)
> {
> u8 node_id[6];
> + int ret;
>
> - get_registers(dev, IDR, sizeof(node_id), node_id);
> - memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
> + ret = get_registers(dev, IDR, sizeof(node_id), node_id);
> + if (ret > 0 && ret <= sizeof(node_id)) {
get_registers() was recently modified to use usb_control_msg_recv() which does
not return partial reads. IOW you'll either get negative value or
sizeof(node_id). Since it is good to be paranoid i'd convert the above check
to:
if (ret == sizeof(node_id)) {
and fail in any other case. Apart from this minor detail the rest of the patch
looks good to me.
Acked-by: Petko Manolov
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Petko Manolov <petko.manolov@konsulko.com>
To: Anant Thazhemadam <anant.thazhemadam@gmail.com>
Cc: linux-kernel-mentees@lists.linuxfoundation.org,
syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com,
Petko Manolov <petkan@nucleusys.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
linux-usb@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [Linux-kernel-mentees][PATCH] net: usb: rtl8150: prevent set_ethernet_addr from setting uninit address
Date: Tue, 29 Sep 2020 11:47:52 +0300 [thread overview]
Message-ID: <20200929084752.GA8101@carbon> (raw)
In-Reply-To: <20200929082028.50540-1-anant.thazhemadam@gmail.com>
On 20-09-29 13:50:28, Anant Thazhemadam wrote:
> When get_registers() fails (which happens when usb_control_msg() fails)
> in set_ethernet_addr(), the uninitialized value of node_id gets copied
> as the address.
>
> Checking for the return values appropriately, and handling the case
> wherein set_ethernet_addr() fails like this, helps in avoiding the
> mac address being incorrectly set in this manner.
>
> Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
> Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
> ---
> drivers/net/usb/rtl8150.c | 24 ++++++++++++++++--------
> 1 file changed, 16 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
> index 733f120c852b..e542a9ab2ff8 100644
> --- a/drivers/net/usb/rtl8150.c
> +++ b/drivers/net/usb/rtl8150.c
> @@ -150,7 +150,7 @@ static const char driver_name [] = "rtl8150";
> ** device related part of the code
> **
> */
> -static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
> +static int get_registers(rtl8150_t *dev, u16 indx, u16 size, void *data)
> {
> void *buf;
> int ret;
> @@ -274,12 +274,17 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg)
> return 1;
> }
>
> -static inline void set_ethernet_addr(rtl8150_t * dev)
> +static bool set_ethernet_addr(rtl8150_t *dev)
> {
> u8 node_id[6];
> + int ret;
>
> - get_registers(dev, IDR, sizeof(node_id), node_id);
> - memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
> + ret = get_registers(dev, IDR, sizeof(node_id), node_id);
> + if (ret > 0 && ret <= sizeof(node_id)) {
get_registers() was recently modified to use usb_control_msg_recv() which does
not return partial reads. IOW you'll either get negative value or
sizeof(node_id). Since it is good to be paranoid i'd convert the above check
to:
if (ret == sizeof(node_id)) {
and fail in any other case. Apart from this minor detail the rest of the patch
looks good to me.
Acked-by: Petko Manolov
next prev parent reply other threads:[~2020-09-29 8:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-29 8:20 [Linux-kernel-mentees] [PATCH] net: usb: rtl8150: prevent set_ethernet_addr from setting uninit address Anant Thazhemadam
2020-09-29 8:20 ` [Linux-kernel-mentees][PATCH] " Anant Thazhemadam
2020-09-29 8:46 ` [Linux-kernel-mentees] [PATCH] " Anant Thazhemadam
2020-09-29 8:46 ` [Linux-kernel-mentees][PATCH] " Anant Thazhemadam
2020-09-29 8:47 ` Petko Manolov [this message]
2020-09-29 8:47 ` Petko Manolov
2020-09-30 4:02 ` [Linux-kernel-mentees] [PATCH] " Anant Thazhemadam
2020-09-30 4:02 ` [Linux-kernel-mentees][PATCH] " Anant Thazhemadam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200929084752.GA8101@carbon \
--to=petko.manolov@konsulko.com \
--cc=anant.thazhemadam@gmail.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=petkan@nucleusys.com \
--cc=syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.