Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp805250ybx;
        Tue, 5 Nov 2019 05:54:50 -0800 (PST)
X-Google-Smtp-Source: APXvYqxiVo1I00hiOJdrnOxwHOqaY6G3W+AmlimCKXSBm0KRLgCD8x0DA16a6rmxGK60mbVp+2C2
X-Received: by 2002:a17:906:7094:: with SMTP id b20mr29584941ejk.134.1572962090288;
        Tue, 05 Nov 2019 05:54:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1572962090; cv=none;
        d=google.com; s=arc-20160816;
        b=mOhdYWf2agnfD9vFbZ7TATB4udlG1UJxEpu+ABe3rVLge30co21fTUSb5HuH5wTD5g
         Ffjr4EmL8boXNRn+gcjbRxLHZeMQjzYcfZq9AtW51sGNDKE9uxkSX4TTyH05nVGUvJjz
         Jrglh+rjrVbnkPuYNJ/AXCJQVc1vMUU2UIdKYLLrlD1JO2TY3TOg6KPJwQSX1g2qEuk2
         Vb6sB2/ILsEJDJjlYZGPkOp+m4gXM5cfe+IJmK7ZVtbVRo86nGT1wZ14r4boghqiWQeD
         xTwoqlnMq2bkHTd25J4+X0FEJ0UcjEQzdHgUj1nhxsA9HEkW+lbvNIG+1LRB+otXNWEp
         NfYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id;
        bh=mkCV7S0qsDz9HXqLjeNLQP86hssp1OAs+ii0D5Aet/s=;
        b=1EEUKHMshQV8MniQFkFQhPFp8po/hAlIpncZq1q7brsI3g8dxfrF7bDZbM+/yf56tP
         LUZmwQx/81YTNyE5YJgoccdUKkFc7VLewAM0C8OxJzcXjD8bq+mLcYLQMwl6oF3lo7wJ
         cFEKGWeNVaShDETP1fyNg547dbCDv/K8NW2ssAcJigS1Z6brp+EAVzFks3YVv1LbpTbf
         gU0nJB9qnxHtWwX+yRQ9L5y7PAsowL4uSi2+JJY0VVhYK0VPw5mAr3kwHXGTh1S0VFMI
         KAZBtwYncht5H0XiE+nSx73ry+JlC/seF/+Dv4bIlqqpQFIzxk6nmghsecF8BHU+dUpV
         DS6w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v35si10985456edm.213.2019.11.05.05.54.27;
        Tue, 05 Nov 2019 05:54:50 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389355AbfKENvW (ORCPT <rfc822;zhangckid@gmail.com> + 99 others);
        Tue, 5 Nov 2019 08:51:22 -0500
Received: from mx2.suse.de ([195.135.220.15]:38298 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S2389227AbfKENvW (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Nov 2019 08:51:22 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.220.254])
        by mx1.suse.de (Postfix) with ESMTP id 5C698B1BD;
        Tue,  5 Nov 2019 13:51:20 +0000 (UTC)
Message-ID: <1572961879.2921.13.camel@suse.com>
Subject: Re: KMSAN: uninit-value in cdc_ncm_set_dgram_size
From:   Oliver Neukum <oneukum@suse.com>
To:     =?ISO-8859-1?Q?Bj=F8rn?= Mork <bjorn@mork.no>
Cc:     syzbot <syzbot+0631d878823ce2411636@syzkaller.appspotmail.com>,
        davem@davemloft.net, glider@google.com,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Date:   Tue, 05 Nov 2019 14:51:19 +0100
In-Reply-To: <875zjy33z2.fsf@miraculix.mork.no>
References: <00000000000013c4c1059625a655@google.com>
         <87ftj32v6y.fsf@miraculix.mork.no> <1572952516.2921.6.camel@suse.com>
         <875zjy33z2.fsf@miraculix.mork.no>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.26.6 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Am Dienstag, den 05.11.2019, 13:25 +0100 schrieb Bjørn Mork:
> Oliver Neukum <oneukum@suse.com> writes:
> > Am Montag, den 04.11.2019, 22:22 +0100 schrieb Bjørn Mork:

> Ah, OK. So that could be fixed with e.g.
> 
>   if (err < 2)
>        goto out;
> 
> 
> Or would it be better to add a strict length checking variant of this
> API?  There are probably lots of similar cases where we expect a

We would lose flexibilty and the check needs to be there anyway.

> Right.  And probably all 16 or 32 bit integer reads...
> 
> Looking at the NCM spec, I see that the wording is annoyingly flexible
> wrt length - both ways.  E.g for GetNetAddress:
> 
>   To get the entire network address, the host should set wLength to at
>   least 6. The function shall never return more than 6 bytes in response
>   to this command.
> 
> Maybe the correct fix is simply to let usbnet_read_cmd() initialize the
> full buffer regardless of what the device returns?  I.e.

This issue has never been observed in the wild. We are defending
against a possible attack. It is better to react drastically.

> at do you think?
> 
> Personally, I don't think it makes sense for a device to return a 1-byte
> mtu or 3-byte mac address. But the spec allows it and this would at
> least make it safe.

Hence we should ignore such a reply. The support is optional anyway.
For usbnet as such, however, we cannot really hardcode the size of
a MAC.

	Regards
		Oliver