Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp710914ybx; Tue, 5 Nov 2019 04:26:29 -0800 (PST) X-Google-Smtp-Source: APXvYqw+6rahsw+x+Rin7S0OlfF0fFjMTvQSviaWSFTXAgduIcQASIYY8OuiG8dzf54DwmtHOH/z X-Received: by 2002:a17:906:1c92:: with SMTP id g18mr11561745ejh.33.1572956788899; Tue, 05 Nov 2019 04:26:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572956788; cv=none; d=google.com; s=arc-20160816; b=zyDIQXB9PQN72fXSSXppWJmLv5YlXcdWBKC5uheMf1oGo60FOkaTkDhWNNZR7rLHzO Pp61JzoITlfyvKcYkevaay/O9uzmrUsblD0JpEOzBYDMDNzb2Q/NxFpK2NfAXaajtBIR K35RmRF2VbEHRauQYj8lcMTfg4J88Dr8wLDazWujJE+hb6hJ9u8DteRuJExgkmjWN7+Y rmNrz4oisDWHdbVX1nka1XdH/p2Z/H4hkf0+fD6g49LPa33Zt9sJENa27wvAjFpa1W2p doYvUVSd5g6WndqhQuAwPTkYCbCMJGO7RXtoeYzQ7RhTwbHfSdAjNAWycma4SBwqp5xf cYkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:message-id:in-reply-to:date:references:organization :subject:cc:to:from:dkim-signature; bh=tOwwi/WeOCAIXQ192WTBNFpglAaamg3ZODywVvTUHmw=; b=YDl2QWLjjbdE/JRqJdsuGRLiGyqL8BndC2kKAgL4pK5oyNr5AH3SDghhCjoqxcuHzc wU+zu7wFwlSimBLs+yaNxGQs/WX7ZOKsdXij73XRAz2Dri3aVz6/NT6gyMqAJqqcVfEE atr2Re6hu7vyHgnrZG4kL8e+6bql6eMyZhTyHwO9HCXE2iL+7EgFk2p/NfEH3N9h3Da8 0S9iTWcUeviEAEvtasGIuf1M2jPiL73Y/5Zmt6uHVBDeNy2kYF6bTv7OXx1efDC05aEj akAgPPSBIv6bmGcf2WKDtlZtUCE/eoeSZNuEFXZfMf45xLMQYuRJfuxeDA4Kwsdq74Um VAtg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mork.no header.s=b header.b=TQPqrfus; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mork.no Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p3si10076357edj.395.2019.11.05.04.26.05; Tue, 05 Nov 2019 04:26:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@mork.no header.s=b header.b=TQPqrfus; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mork.no Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388402AbfKEMZ0 (ORCPT + 99 others); Tue, 5 Nov 2019 07:25:26 -0500 Received: from canardo.mork.no ([148.122.252.1]:53839 "EHLO canardo.mork.no" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387833AbfKEMZ0 (ORCPT ); Tue, 5 Nov 2019 07:25:26 -0500 Received: from miraculix.mork.no ([IPv6:2a02:2121:34b:47e9:c09a:74ff:fe7f:b715]) (authenticated bits=0) by canardo.mork.no (8.15.2/8.15.2) with ESMTPSA id xA5CPB1d025114 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 5 Nov 2019 13:25:12 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mork.no; s=b; t=1572956713; bh=tOwwi/WeOCAIXQ192WTBNFpglAaamg3ZODywVvTUHmw=; h=From:To:Cc:Subject:References:Date:Message-ID:From; b=TQPqrfusN90nUJlTRNsYyYncuPUeOojDV5YcLmLltY5hrfo64AICKxTw4DIG5zqFE 0ST3hDUderArNKlqL89Mw65AK+mf2BghLbW5Il2OLsV+xVFi/GFPx2RcU74UKBcPeM 81UTV4gprHWz5YN/XYQX6UmnScSjuCPXZxKdToxk= Received: from bjorn by miraculix.mork.no with local (Exim 4.92) (envelope-from ) id 1iRxtR-00044x-QL; Tue, 05 Nov 2019 13:25:05 +0100 From: =?utf-8?Q?Bj=C3=B8rn_Mork?= To: Oliver Neukum Cc: syzbot , davem@davemloft.net, glider@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: KMSAN: uninit-value in cdc_ncm_set_dgram_size Organization: m References: <00000000000013c4c1059625a655@google.com> <87ftj32v6y.fsf@miraculix.mork.no> <1572952516.2921.6.camel@suse.com> Date: Tue, 05 Nov 2019 13:25:05 +0100 In-Reply-To: <1572952516.2921.6.camel@suse.com> (Oliver Neukum's message of "Tue, 05 Nov 2019 12:15:16 +0100") Message-ID: <875zjy33z2.fsf@miraculix.mork.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: clamav-milter 0.101.4 at canardo X-Virus-Status: Clean Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Oliver Neukum writes: > Am Montag, den 04.11.2019, 22:22 +0100 schrieb Bj=C3=B8rn Mork: >> This looks like a false positive to me. max_datagram_size is two bytes >> declared as >>=20 >> __le16 max_datagram_size; >>=20 >> and the code leading up to the access on drivers/net/usb/cdc_ncm.c:587 >> is: >>=20 >> /* read current mtu value from device */ >> err =3D usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE, >> USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_IN= TERFACE, >> 0, iface_no, &max_datagram_size, 2); > > At this point err can be 1. > >> if (err < 0) { >> dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n= "); >> goto out; >> } >>=20 >> if (le16_to_cpu(max_datagram_size) =3D=3D ctx->max_datagram_size) >>=20 >>=20 >>=20 >> AFAICS, there is no way max_datagram_size can be uninitialized here. >> usbnet_read_cmd() either read 2 bytes into it or returned an error, > > No. usbnet_read_cmd() will return the number of bytes transfered up > to the number requested or an error. Ah, OK. So that could be fixed with e.g. if (err < 2) goto out; Or would it be better to add a strict length checking variant of this API? There are probably lots of similar cases where we expect a multibyte value and a short read is (or should be) considered an error. I can't imagine any situation where we want a 2, 4, 6 or 8 byte value and expect a flexible length returned. >> causing the access to be skipped. Or am I missing something? > > Yes. You can get half the MTU. We have a similar class of bugs > with MAC addresses. Right. And probably all 16 or 32 bit integer reads... Looking at the NCM spec, I see that the wording is annoyingly flexible wrt length - both ways. E.g for GetNetAddress: To get the entire network address, the host should set wLength to at least 6. The function shall never return more than 6 bytes in response to this command. Maybe the correct fix is simply to let usbnet_read_cmd() initialize the full buffer regardless of what the device returns? I.e. diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index dde05e2fdc3e..df3efafca450 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1982,7 +1982,7 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 c= md, u8 reqtype, cmd, reqtype, value, index, size); =20 if (size) { - buf =3D kmalloc(size, GFP_KERNEL); + buf =3D kzalloc(size, GFP_KERNEL); if (!buf) goto out; } @@ -1992,7 +1992,7 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 c= md, u8 reqtype, USB_CTRL_GET_TIMEOUT); if (err > 0 && err <=3D size) { if (data) - memcpy(data, buf, err); + memcpy(data, buf, size); else netdev_dbg(dev->net, "Huh? Data requested but thrown away.\n"); What do you think? Personally, I don't think it makes sense for a device to return a 1-byte mtu or 3-byte mac address. But the spec allows it and this would at least make it safe. We have a couple of similar bugs elsewhere in the same driver, BTW.. Bj=C3=B8rn