From: Pavel Skripkin <paskripkin@gmail.com>
To: stefan@datenfreihafen.org, alex.aring@gmail.com,
davem@davemloft.net, kuba@kernel.org, linux-wpan@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Pavel Skripkin <paskripkin@gmail.com>,
Alexander Potapenko <glider@google.com>,
Alexander Aring <aahringo@redhat.com>
Subject: [PATCH v3] ieee802154: atusb: fix uninit value in atusb_set_extended_addr
Date: Tue, 4 Jan 2022 21:28:06 +0300 [thread overview]
Message-ID: <20220104182806.7188-1-paskripkin@gmail.com> (raw)
In-Reply-To: <e8e73fcc-b902-4972-6001-84671361146d@datenfreihafen.org>
Alexander reported a use of uninitialized value in
atusb_set_extended_addr(), that is caused by reading 0 bytes via
usb_control_msg().
Fix it by validating if the number of bytes transferred is actually
correct, since usb_control_msg() may read less bytes, than was requested
by caller.
Fail log:
BUG: KASAN: uninit-cmp in ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline]
BUG: KASAN: uninit-cmp in atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline]
BUG: KASAN: uninit-cmp in atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056
Uninit value used in comparison: 311daa649a2003bd stack handle: 000000009a2003bd
ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline]
atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline]
atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056
usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396
Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver")
Reported-by: Alexander Potapenko <glider@google.com>
Acked-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
Changes in v3:
- Changed atusb_control_msg() to usb_control_msg() in
atusb_get_and_show_build(), since request there may read various length
data
Changes in v2:
- Reworked fix approach, since moving to new USB API is not
suitable for backporting to stable kernels
---
drivers/net/ieee802154/atusb.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
index 23ee0b14cbfa..2f5e7b31032a 100644
--- a/drivers/net/ieee802154/atusb.c
+++ b/drivers/net/ieee802154/atusb.c
@@ -93,7 +93,9 @@ static int atusb_control_msg(struct atusb *atusb, unsigned int pipe,
ret = usb_control_msg(usb_dev, pipe, request, requesttype,
value, index, data, size, timeout);
- if (ret < 0) {
+ if (ret < size) {
+ ret = ret < 0 ? ret : -ENODATA;
+
atusb->err = ret;
dev_err(&usb_dev->dev,
"%s: req 0x%02x val 0x%x idx 0x%x, error %d\n",
@@ -861,9 +863,9 @@ static int atusb_get_and_show_build(struct atusb *atusb)
if (!build)
return -ENOMEM;
- ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
- ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0,
- build, ATUSB_BUILD_SIZE, 1000);
+ /* We cannot call atusb_control_msg() here, since this request may read various length data */
+ ret = usb_control_msg(atusb->usb_dev, usb_rcvctrlpipe(usb_dev, 0), ATUSB_BUILD,
+ ATUSB_REQ_FROM_DEV, 0, 0, build, ATUSB_BUILD_SIZE, 1000);
if (ret >= 0) {
build[ret] = 0;
dev_info(&usb_dev->dev, "Firmware: build %s\n", build);
--
2.34.1
next prev parent reply other threads:[~2022-01-04 18:28 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-24 19:24 Use of uninitialized value in atusb_set_extended_addr() Alexander Potapenko
2021-12-24 19:57 ` Pavel Skripkin
2022-01-02 17:19 ` [PATCH RFT] ieee802154: atusb: move to new USB API Pavel Skripkin
2022-01-02 22:15 ` Alexander Aring
2022-01-02 22:21 ` Pavel Skripkin
2022-01-02 22:36 ` Alexander Aring
2022-01-03 12:09 ` [PATCH v2] ieee802154: atusb: fix uninit value in atusb_set_extended_addr Pavel Skripkin
2022-01-03 15:27 ` Alexander Aring
2022-01-04 15:40 ` Stefan Schmidt
2022-01-04 17:27 ` Pavel Skripkin
2022-01-04 18:04 ` Stefan Schmidt
2022-01-04 18:11 ` Pavel Skripkin
2022-01-04 18:28 ` Pavel Skripkin [this message]
2022-01-04 18:57 ` [PATCH v3] " Alexander Aring
2022-01-04 19:25 ` Stefan Schmidt
2022-01-03 13:04 ` [PATCH RFT] ieee802154: atusb: move to new USB API Greg KH
2022-01-03 13:03 ` Greg KH
2022-01-03 15:35 ` Alexander Aring
2022-01-04 19:41 ` Stefan Schmidt
2022-01-05 8:08 ` Greg KH
2022-01-05 9:01 ` Stefan Schmidt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220104182806.7188-1-paskripkin@gmail.com \
--to=paskripkin@gmail.com \
--cc=aahringo@redhat.com \
--cc=alex.aring@gmail.com \
--cc=davem@davemloft.net \
--cc=glider@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stefan@datenfreihafen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.