From: Qasim Ijaz <qasdev00@gmail.com>
To: andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, horms@kernel.org
Cc: linux-usb@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, Qasim Ijaz <qasdev00@gmail.com>,
syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>,
stable@vger.kernel.org
Subject: [PATCH 1/4] net: fix uninitialised access in mii_nway_restart()
Date: Wed, 19 Mar 2025 11:21:53 +0000 [thread overview]
Message-ID: <20250319112156.48312-2-qasdev00@gmail.com> (raw)
In-Reply-To: <20250319112156.48312-1-qasdev00@gmail.com>
In mii_nway_restart() during the line:
bmcr = mii->mdio_read(mii->dev, mii->phy_id, MII_BMCR);
The code attempts to call mii->mdio_read which is ch9200_mdio_read().
ch9200_mdio_read() utilises a local buffer, which is initialised
with control_read():
unsigned char buff[2];
However buff is conditionally initialised inside control_read():
if (err == size) {
memcpy(data, buf, size);
}
If the condition of "err == size" is not met, then buff remains
uninitialised. Once this happens the uninitialised buff is accessed
and returned during ch9200_mdio_read():
return (buff[0] | buff[1] << 8);
The problem stems from the fact that ch9200_mdio_read() ignores the
return value of control_read(), leading to uinit-access of buff.
To fix this we should check the return value of control_read()
and return early on error.
Reported-by: syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9
Tested-by: syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>
Fixes: 4a476bd6d1d9 ("usbnet: New driver for QinHeng CH9200 devices")
Cc: stable@vger.kernel.org
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
---
drivers/net/mii.c | 2 ++
drivers/net/usb/ch9200.c | 7 +++++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/net/mii.c b/drivers/net/mii.c
index 37bc3131d31a..e305bf0f1d04 100644
--- a/drivers/net/mii.c
+++ b/drivers/net/mii.c
@@ -464,6 +464,8 @@ int mii_nway_restart (struct mii_if_info *mii)
/* if autoneg is off, it's an error */
bmcr = mii->mdio_read(mii->dev, mii->phy_id, MII_BMCR);
+ if (bmcr < 0)
+ return bmcr;
if (bmcr & BMCR_ANENABLE) {
bmcr |= BMCR_ANRESTART;
diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c
index f69d9b902da0..a206ffa76f1b 100644
--- a/drivers/net/usb/ch9200.c
+++ b/drivers/net/usb/ch9200.c
@@ -178,6 +178,7 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc)
{
struct usbnet *dev = netdev_priv(netdev);
unsigned char buff[2];
+ int ret;
netdev_dbg(netdev, "%s phy_id:%02x loc:%02x\n",
__func__, phy_id, loc);
@@ -185,8 +186,10 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc)
if (phy_id != 0)
return -ENODEV;
- control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02,
- CONTROL_TIMEOUT_MS);
+ ret = control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02,
+ CONTROL_TIMEOUT_MS);
+ if (ret < 0)
+ return ret;
return (buff[0] | buff[1] << 8);
}
--
2.39.5
next prev parent reply other threads:[~2025-03-19 11:22 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-19 11:21 [PATCH 0/4] net: fix bugs and error handling in qinheng ch9200 driver and mii interface Qasim Ijaz
2025-03-19 11:21 ` Qasim Ijaz [this message]
2025-03-20 13:48 ` [PATCH 1/4] net: fix uninitialised access in mii_nway_restart() Simon Horman
2025-03-25 13:33 ` Jakub Kicinski
2025-04-10 22:15 ` Qasim Ijaz
2025-04-10 23:17 ` Jakub Kicinski
2025-04-11 1:12 ` Andrew Lunn
2025-04-12 18:30 ` Qasim Ijaz
2025-03-19 11:21 ` [PATCH 2/4] net: ch9200: remove extraneous return in control_write() to propagate failures Qasim Ijaz
2025-03-20 13:48 ` Simon Horman
2025-03-19 11:21 ` [PATCH 3/4] net: ch9200: improve error handling in get_mac_address() Qasim Ijaz
2025-03-20 13:38 ` Markus Elfring
2025-03-20 13:49 ` Simon Horman
2025-03-19 11:21 ` [PATCH 4/4] net: ch9200: add error handling in ch9200_bind() Qasim Ijaz
2025-03-20 13:49 ` Simon Horman
2025-03-20 14:00 ` Markus Elfring
[not found] <20250319111444.47843-1-qasdev00@gmail.com>
2025-03-19 11:14 ` [PATCH 1/4] net: fix uninitialised access in mii_nway_restart() Qasim Ijaz
[not found] <20250319105045.43385-1-qasdev00@gmail.com>
2025-03-19 10:50 ` Qasim Ijaz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250319112156.48312-2-qasdev00@gmail.com \
--to=qasdev00@gmail.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.