Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp805250ybx; Tue, 5 Nov 2019 05:54:50 -0800 (PST) X-Google-Smtp-Source: APXvYqxiVo1I00hiOJdrnOxwHOqaY6G3W+AmlimCKXSBm0KRLgCD8x0DA16a6rmxGK60mbVp+2C2 X-Received: by 2002:a17:906:7094:: with SMTP id b20mr29584941ejk.134.1572962090288; Tue, 05 Nov 2019 05:54:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572962090; cv=none; d=google.com; s=arc-20160816; b=mOhdYWf2agnfD9vFbZ7TATB4udlG1UJxEpu+ABe3rVLge30co21fTUSb5HuH5wTD5g Ffjr4EmL8boXNRn+gcjbRxLHZeMQjzYcfZq9AtW51sGNDKE9uxkSX4TTyH05nVGUvJjz Jrglh+rjrVbnkPuYNJ/AXCJQVc1vMUU2UIdKYLLrlD1JO2TY3TOg6KPJwQSX1g2qEuk2 Vb6sB2/ILsEJDJjlYZGPkOp+m4gXM5cfe+IJmK7ZVtbVRo86nGT1wZ14r4boghqiWQeD xTwoqlnMq2bkHTd25J4+X0FEJ0UcjEQzdHgUj1nhxsA9HEkW+lbvNIG+1LRB+otXNWEp NfYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id; bh=mkCV7S0qsDz9HXqLjeNLQP86hssp1OAs+ii0D5Aet/s=; b=1EEUKHMshQV8MniQFkFQhPFp8po/hAlIpncZq1q7brsI3g8dxfrF7bDZbM+/yf56tP LUZmwQx/81YTNyE5YJgoccdUKkFc7VLewAM0C8OxJzcXjD8bq+mLcYLQMwl6oF3lo7wJ cFEKGWeNVaShDETP1fyNg547dbCDv/K8NW2ssAcJigS1Z6brp+EAVzFks3YVv1LbpTbf gU0nJB9qnxHtWwX+yRQ9L5y7PAsowL4uSi2+JJY0VVhYK0VPw5mAr3kwHXGTh1S0VFMI KAZBtwYncht5H0XiE+nSx73ry+JlC/seF/+Dv4bIlqqpQFIzxk6nmghsecF8BHU+dUpV DS6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v35si10985456edm.213.2019.11.05.05.54.27; Tue, 05 Nov 2019 05:54:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389355AbfKENvW (ORCPT + 99 others); Tue, 5 Nov 2019 08:51:22 -0500 Received: from mx2.suse.de ([195.135.220.15]:38298 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2389227AbfKENvW (ORCPT ); Tue, 5 Nov 2019 08:51:22 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 5C698B1BD; Tue, 5 Nov 2019 13:51:20 +0000 (UTC) Message-ID: <1572961879.2921.13.camel@suse.com> Subject: Re: KMSAN: uninit-value in cdc_ncm_set_dgram_size From: Oliver Neukum To: =?ISO-8859-1?Q?Bj=F8rn?= Mork Cc: syzbot , davem@davemloft.net, glider@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com Date: Tue, 05 Nov 2019 14:51:19 +0100 In-Reply-To: <875zjy33z2.fsf@miraculix.mork.no> References: <00000000000013c4c1059625a655@google.com> <87ftj32v6y.fsf@miraculix.mork.no> <1572952516.2921.6.camel@suse.com> <875zjy33z2.fsf@miraculix.mork.no> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Dienstag, den 05.11.2019, 13:25 +0100 schrieb Bjørn Mork: > Oliver Neukum writes: > > Am Montag, den 04.11.2019, 22:22 +0100 schrieb Bjørn Mork: > Ah, OK. So that could be fixed with e.g. > > if (err < 2) > goto out; > > > Or would it be better to add a strict length checking variant of this > API? There are probably lots of similar cases where we expect a We would lose flexibilty and the check needs to be there anyway. > Right. And probably all 16 or 32 bit integer reads... > > Looking at the NCM spec, I see that the wording is annoyingly flexible > wrt length - both ways. E.g for GetNetAddress: > > To get the entire network address, the host should set wLength to at > least 6. The function shall never return more than 6 bytes in response > to this command. > > Maybe the correct fix is simply to let usbnet_read_cmd() initialize the > full buffer regardless of what the device returns? I.e. This issue has never been observed in the wild. We are defending against a possible attack. It is better to react drastically. > at do you think? > > Personally, I don't think it makes sense for a device to return a 1-byte > mtu or 3-byte mac address. But the spec allows it and this would at > least make it safe. Hence we should ignore such a reply. The support is optional anyway. For usbnet as such, however, we cannot really hardcode the size of a MAC. Regards Oliver