Re: [PATCH] net: fix uninitialised access in mii_nway_restart() and cleanup error handling

[Qasim Ijaz <qasdev00@gmail.com>]

On Tue, Mar 18, 2025 at 11:29:15AM +0100, Paolo Abeni wrote:
> On 3/11/25 5:11 PM, Qasim Ijaz wrote:
> > In mii_nway_restart() during the line:
> > 
> >         bmcr = mii->mdio_read(mii->dev, mii->phy_id, MII_BMCR);
> > 
> > The code attempts to call mii->mdio_read which is ch9200_mdio_read().
> > 
> > ch9200_mdio_read() utilises a local buffer, which is initialised
> > with control_read():
> > 
> >         unsigned char buff[2];
> > 
> > However buff is conditionally initialised inside control_read():
> > 
> >         if (err == size) {
> >                 memcpy(data, buf, size);
> >         }
> > 
> > If the condition of "err == size" is not met, then buff remains
> > uninitialised. Once this happens the uninitialised buff is accessed
> > and returned during ch9200_mdio_read():
> > 
> >         return (buff[0] | buff[1] << 8);
> > 
> > The problem stems from the fact that ch9200_mdio_read() ignores the
> > return value of control_read(), leading to uinit-access of buff.
> > 
> > To fix this we should check the return value of control_read()
> > and return early on error.
> > 
> > Furthermore the get_mac_address() function has a similar problem where
> > it does not directly check the return value of each control_read(),
> > instead it sums up the return values and checks them all at the end
> > which means if any call to control_read() fails the function just 
> > continues on.
> > 
> > Handle this by validating the return value of each call and fail fast
> > and early instead of continuing.
> > 
> > Lastly ch9200_bind() ignores the return values of multiple 
> > control_write() calls.
> > 
> > Validate each control_write() call to ensure it succeeds before
> > continuing with the next call.
> > 
> > Reported-by: syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>
> > Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9
> > Tested-by: syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>
> > Fixes: 4a476bd6d1d9 ("usbnet: New driver for QinHeng CH9200 devices")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
> 
> Please split the patch in a small series, as suggested by Simon.
> 
> Please additionally include the target tree name ('net', in this case)
> in the subj prefix.
> 
Hi Paolo and Simon,

Thanks for the suggestions and advice, I have sent a mini patch series which you
can view:

Link: <https://lore.kernel.org/all/20250319112156.48312-1-qasdev00@gmail.com/>

Thanks,
Qasim

> Thanks,
> 
> Paolo
>