From: Dan Carpenter <dan.carpenter@oracle.com>
To: Wang Cheng <wanngchenng@gmail.com>
Cc: Larry.Finger@lwfinger.net, florian.c.schilhabel@googlemail.com,
gregkh@linuxfoundation.org, linux-staging@lists.linux.dev,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] staging: rtl8712: fix uninit-value "data" and "mac"
Date: Thu, 14 Apr 2022 18:42:15 +0300 [thread overview]
Message-ID: <20220414154215.GL3293@kadam> (raw)
In-Reply-To: <20220414141223.qwiznrwgjyywngfg@ppc.localdomain>
On Thu, Apr 14, 2022 at 10:12:23PM +0800, Wang Cheng wrote:
> Due to the case that "requesttype == 0x01 && status <= 0"
> isn't handled in r8712_usbctrl_vendorreq(),
> "data" (drivers/staging/rtl8712/usb_ops.c:32)
> will be returned without initialization.
>
> When "tmpU1b" (drivers/staging/rtl8712/usb_intf.c:395)
> is 0, mac[6] (usb_intf.c:394) won't be initialized,
> which leads to accessing uninit-value on usb_intf.c:541.
These line numbers are sort of useless because everyone is on a
different git hash.
>
> Reported-and-tested-by: syzbot+6f5ecd144854c0d8580b@syzkaller.appspotmail.com
> Signed-off-by: Wang Cheng <wanngchenng@gmail.com>
> ---
> drivers/staging/rtl8712/usb_intf.c | 6 +++---
> drivers/staging/rtl8712/usb_ops_linux.c | 14 ++++++++------
> 2 files changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c
> index ee4c61f85a07..50dcd3ecb685 100644
> --- a/drivers/staging/rtl8712/usb_intf.c
> +++ b/drivers/staging/rtl8712/usb_intf.c
> @@ -538,13 +538,13 @@ static int r871xu_drv_init(struct usb_interface *pusb_intf,
> } else {
> AutoloadFail = false;
> }
> - if (((mac[0] == 0xff) && (mac[1] == 0xff) &&
> + if ((!AutoloadFail) ||
> + ((mac[0] == 0xff) && (mac[1] == 0xff) &&
> (mac[2] == 0xff) && (mac[3] == 0xff) &&
> (mac[4] == 0xff) && (mac[5] == 0xff)) ||
> ((mac[0] == 0x00) && (mac[1] == 0x00) &&
> (mac[2] == 0x00) && (mac[3] == 0x00) &&
> - (mac[4] == 0x00) && (mac[5] == 0x00)) ||
> - (!AutoloadFail)) {
> + (mac[4] == 0x00) && (mac[5] == 0x00))) {
> mac[0] = 0x00;
> mac[1] = 0xe0;
> mac[2] = 0x4c;
This is a separate fix from the rest of the patch. Send it by itself.
> diff --git a/drivers/staging/rtl8712/usb_ops_linux.c b/drivers/staging/rtl8712/usb_ops_linux.c
> index f984a5ab2c6f..e321ca4453ca 100644
> --- a/drivers/staging/rtl8712/usb_ops_linux.c
> +++ b/drivers/staging/rtl8712/usb_ops_linux.c
> @@ -495,12 +495,14 @@ int r8712_usbctrl_vendorreq(struct intf_priv *pintfpriv, u8 request, u16 value,
> }
> status = usb_control_msg(udev, pipe, request, reqtype, value, index,
> pIo_buf, len, 500);
> - if (status > 0) { /* Success this control transfer. */
> - if (requesttype == 0x01) {
> - /* For Control read transfer, we have to copy the read
> - * data from pIo_buf to pdata.
> - */
> - memcpy(pdata, pIo_buf, status);
> + /* For Control read transfer, copy the read data from pIo_buf to pdata
> + * when control transfer success; otherwise init *pdata with 0.
> + */
> + if (requesttype == 0x01) {
> + if (status > 0)
> + memcpy(pdata, pIo_buf, status);
> + else
> + *(u32 *)pdata = 0;
> }
This isn't really correct. In many cases status is "len" is less than 4.
I'm slightly surprised that nothing complains about that as an
uninitialized access. But then another problem is that "status" can be
less than "len".
A better fix instead of setting pdata to zero would be to add error
checking in the callers and then change this code to use
usb_control_msg_send/recv(). Probably just initialize "data" in the
callers as well.
regards,
dan carpenter
next prev parent reply other threads:[~2022-04-14 15:43 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-14 14:12 [PATCH] staging: rtl8712: fix uninit-value "data" and "mac" Wang Cheng
2022-04-14 15:42 ` Dan Carpenter [this message]
2022-04-14 15:49 ` Dan Carpenter
2022-04-15 9:47 ` Wang Cheng
2022-04-15 9:57 ` Dan Carpenter
2022-04-15 10:51 ` Wang Cheng
2022-05-06 3:07 ` Wang Cheng
2022-04-15 10:02 ` Dan Carpenter
2022-04-14 20:12 ` Pavel Skripkin
2022-04-15 9:57 ` Wang Cheng
2022-04-16 10:57 ` Pavel Skripkin
2022-04-18 4:00 ` Wang Cheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220414154215.GL3293@kadam \
--to=dan.carpenter@oracle.com \
--cc=Larry.Finger@lwfinger.net \
--cc=florian.c.schilhabel@googlemail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=wanngchenng@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox