From: Oliver Neukum <oneukum@suse.com>
To: syzbot <syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com>,
davem@davemloft.net, swinslow@gmail.com, glider@google.com,
syzkaller-bugs@googlegroups.com, opensource@jilayne.com,
tglx@linutronix.de, gregkh@linuxfoundation.org,
allison@lohutok.net, linux-kernel@vger.kernel.org,
linux-usb@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: KMSAN: uninit-value in ax88172a_bind
Date: Thu, 17 Oct 2019 16:02:20 +0200 [thread overview]
Message-ID: <1571320940.5264.11.camel@suse.com> (raw)
In-Reply-To: <00000000000064555d0594ebff2f@google.com>
[-- Attachment #1: Type: text/plain, Size: 948 bytes --]
Am Montag, den 14.10.2019, 22:10 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: fa169025 kmsan: get rid of unused static functions in kmsa..
> git tree: https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=1432a653600000
> kernel config: https://syzkaller.appspot.com/x/.config?x=49548798e87d32d7
> dashboard link: https://syzkaller.appspot.com/bug?extid=a8d4acdad35e6bbca308
> compiler: clang version 9.0.0 (/home/glider/llvm/clang
> 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14743a6f600000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=125bdbc7600000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com
#syz test: https://github.com/google/kmsan.git fa169025
[-- Attachment #2: 0001-asix-fix-information-leak-on-short-answers.patch --]
[-- Type: text/x-patch, Size: 989 bytes --]
From a6fd7a04a330a8bfad836b20843ea5fe26e0ae38 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 17 Oct 2019 15:12:33 +0200
Subject: [PATCH] asix: fix information leak on short answers
If a malicious device gives a short MAC it can elicit up to
5 bytes of leaked memory out of the driver. We need to check for
ETH_ALEN.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/net/usb/ax88172a.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c
index 011bd4cb546e..af3994e0853b 100644
--- a/drivers/net/usb/ax88172a.c
+++ b/drivers/net/usb/ax88172a.c
@@ -196,7 +196,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf)
/* Get the MAC address */
ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
- if (ret < 0) {
+ if (ret < ETH_ALEN) {
netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);
goto free;
}
--
2.16.4
next prev parent reply other threads:[~2019-10-17 14:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-15 5:10 KMSAN: uninit-value in ax88172a_bind syzbot
2019-10-17 14:02 ` Oliver Neukum [this message]
2019-10-17 14:39 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1571320940.5264.11.camel@suse.com \
--to=oneukum@suse.com \
--cc=allison@lohutok.net \
--cc=davem@davemloft.net \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=opensource@jilayne.com \
--cc=swinslow@gmail.com \
--cc=syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).