Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp1668448ybx; Thu, 7 Nov 2019 15:22:37 -0800 (PST) X-Google-Smtp-Source: APXvYqy8osOeTefAGivWxZBlqBN/Xj3T6xPcKZydqI+veVXldRv4smI+7LP58xUBXiKH1jmggOTr X-Received: by 2002:a17:906:743:: with SMTP id z3mr5643994ejb.142.1573168957412; Thu, 07 Nov 2019 15:22:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573168957; cv=none; d=google.com; s=arc-20160816; b=wMeazT5JV1oT8RkixNAAPwEceXzOTcdDdE2D1ScD4+UQbYlTtBaqzFxXcTGfjIMD7V DtbNMr8csA14+kqn01S2BMgVYomrhU9N2QDmZe1xOdZhfiq+j7vfc4dFuP+qQWTMeTdR uSWCyHuPqSflbeZwoLZkn8vrBPry7hZltWhFRCah02LK0zp1V/ZKwaT8mLnxtNNnfEk7 U0iDNkgqx1ss1qJHaSEUuJ39szYEL3C6SZo0soagrNO4q+GpEcZRITAVZ5aZcZptTY6Y YFn8oVqgKEfQbB8IIqICjLfXgFj2gx5j2LEjS/oM8mwoiUQpGkDIHepI6Ta5pgekp8nX QiOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=QdJ/Op0AO3RQecHCGAmP8AxbylbKC7GcFqYLV4bLBow=; b=frcjBQ4hvBY8n5n+SIz0LsQtgYa07+L49xrv3jgxuzVFFHu7yqwwl/5doxguutBe47 /Ccicl0OBoitDCBBC966VCW1nXHQ/hOTuzgonab3p4SsbrWWsK4UXPkWKEVQiQDrtgq2 RodYvwMkkPjkTbibxeQyLybgp1sXv4Cg6Fu8Wsn1Nim1VuXSunRRuEQqZJ8g8cY231hf lyVhTt2rKWSGb3VT4lFWZ1EyFbyiJx4RcRJHv4u1SxXwgNDe2ouBT5YX8ShHmls44rkM iMit098BvQoNUrPNAjOYjEH88S6w/HvkyFSn65EcORaEHGetR+fOfBtDtZRW2CkBFOCz 8gQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s28si2736589edm.64.2019.11.07.15.22.13; Thu, 07 Nov 2019 15:22:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727768AbfKGXVU (ORCPT + 99 others); Thu, 7 Nov 2019 18:21:20 -0500 Received: from shards.monkeyblade.net ([23.128.96.9]:49756 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725924AbfKGXVU (ORCPT ); Thu, 7 Nov 2019 18:21:20 -0500 Received: from localhost (unknown [IPv6:2601:601:9f00:1e2::d71]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 579D415370B6A; Thu, 7 Nov 2019 15:21:19 -0800 (PST) Date: Thu, 07 Nov 2019 15:21:18 -0800 (PST) Message-Id: <20191107.152118.922830217121663373.davem@davemloft.net> To: tranmanphong@gmail.com Cc: syzbot+7dc7c28d4577bbe55b10@syzkaller.appspotmail.com, gregkh@linuxfoundation.org, glider@google.com, hslester96@gmail.com, kstewart@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, tglx@linutronix.de, linux-kernel-mentees@lists.linuxfoundation.org Subject: Re: [PATCH] usb: asix: Fix uninit-value in asix_mdio_write From: David Miller In-Reply-To: <20191107004404.23707-1-tranmanphong@gmail.com> References: <0000000000009763320594f993ee@google.com> <20191107004404.23707-1-tranmanphong@gmail.com> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 07 Nov 2019 15:21:19 -0800 (PST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Phong Tran Date: Thu, 7 Nov 2019 07:44:04 +0700 > The local variables use without initilization value. > This fixes the syzbot report. > > Reported-by: syzbot+7dc7c28d4577bbe55b10@syzkaller.appspotmail.com > > Test result: > > https://groups.google.com/d/msg/syzkaller-bugs/3H_n05x_sPU/sUoHhxgAAgAJ > > Signed-off-by: Phong Tran There are several more situations in this file where the data blob passed to asix_read_cmd() is read without pre-initialization not checking the return value from asix_read_cmd(). So, syzbot can see some of them but not all of them, yet all of them are buggy and should be fixed. These kinds of patches drive me absolutely crazy :-) Really, one of two things needs to happen, either asix_read_cmd() clears the incoming buffer unconditionally, or these call sites strictly must check the return value always before accessing the buffer after the call. I'm not applying this, sorry.