Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp5084630ybl;
        Sat, 21 Dec 2019 21:49:14 -0800 (PST)
X-Google-Smtp-Source: APXvYqw/TkDU6RhEXWqRc6Lf3fNf75isTMqENowulQVCa7S6u6owSDuUP7EHMWhCozya9lcNlZf0
X-Received: by 2002:a9d:242:: with SMTP id 60mr11596800otb.253.1576993754227;
        Sat, 21 Dec 2019 21:49:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1576993754; cv=none;
        d=google.com; s=arc-20160816;
        b=vES4Y/OCMxJq19yP9Pv61M81B5ZQ2AspgzfaaU8RJRpBM3pawYzfUWjbA5S8fmiGA8
         xaJJRo3bHw9EYoWLScqVylxkMTE/cwpZQS5BsQHuGZVQ61lfuRuHcbQEx+lg33EFkZkJ
         RjWENC1sKI+Am6aP7EaE/NJBeHixhaSfUjkwgn0jCZlnGrgeHdAz32Xz1Tc46V5KtmX0
         tGpUUgAG0Dn0oJhh+ZdOTKRaVQPsWXck2TxYpBZWwUdvx3BbWfwrb9T1iTWrPr7BhT31
         N6YfdAMlYmQTkocNJjUIfd0Ez3b6rJnOPoeyAkOeLbJzUHsAKYSt0MgYDkwdDC4kSjsS
         NcmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=XjcArXgAKvyfXDBzvMFPB+lHDAxL1AfHT3DO6M8M8pE=;
        b=lE4+i3Vo/DU7AZ9vz8hF2XT5Of2tv3MKBI1RuI33Ad/+WGTFcTj6dRR3KOiNmycjNU
         dbzYOX514yNUULlU1C5s5v9d04yDVn3LWbW5V3UyhoywluND3xEYKvOchIR1VPlgdkeP
         jYGCZytQ5iQ3MtGChgkq7Ss7KEBagaF7O8i7PdjDbfCCGFfkBeoPCkOa4aQgBMVlel2p
         3cBnwrlnRMYB8iFePB+jTOZyR4lMaWi2lIoTG9+iFLprXKMji7qtI9Xpv75nH5O+OLo3
         1tbl09ZkUXw/nYR82NPvrh1bXDmJa7wsBqBaEJ89lyT0+lEX/ePjuhIDSiFpx01PR0Mb
         Dgaw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=QbGggnc4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b145si900839oii.67.2019.12.21.21.48.50;
        Sat, 21 Dec 2019 21:49:14 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=QbGggnc4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726166AbfLVFrc (ORCPT <rfc822;ahaning.tech@gmail.com>
        + 99 others); Sun, 22 Dec 2019 00:47:32 -0500
Received: from mail-pg1-f195.google.com ([209.85.215.195]:44996 "EHLO
        mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725776AbfLVFrc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 22 Dec 2019 00:47:32 -0500
Received: by mail-pg1-f195.google.com with SMTP id x7so7099393pgl.11;
        Sat, 21 Dec 2019 21:47:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=XjcArXgAKvyfXDBzvMFPB+lHDAxL1AfHT3DO6M8M8pE=;
        b=QbGggnc4rIBvP1w2ApBWds25yNBz7SrOcuLl9VlQJCYjcADux3y+UglVZooSW4SdPa
         aASLnMYWp9ViF6BO87ILXkqQ31ecI/dJ95aVsHGvEf4an7NFGG9VRRWXv0GlSWwXiOhe
         SEeX6HvJncwtqsBCqvOYraM0XN9E025eXKDhV8/HP/yceXDtqY/XfKq96TJsCB7wbQ9d
         3bzPdDFtPFSX5gh70p2FbaXB1nYNmUvODQkfOB6Z5yltAub3uX+1v4SlAssElHprNXV+
         JSJ6elEQfi+pGIitKDnzijKqhSpQRTpGbLIcWcwB+FnKXRmNQHosDOEAxyQ6CR3uP7/A
         7aXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=XjcArXgAKvyfXDBzvMFPB+lHDAxL1AfHT3DO6M8M8pE=;
        b=IyxwoT9i00bVRfWcdNIlSZbr7HwA9l8iV74/6bxObFOkfZegRZ+TB8VyMWAQFNSrEt
         gmwCnfWmYTnC5iA6+OSgmlQm9+F5ZR8c7/k4MHjOxx4MV+60tRaXskfC1wYSf50zH7mI
         Dg4Ua3ARt9VIzqr3Ry1j5SSUzrF3jBDAyN+3m9kdsw5xIO2zwpzk6SrYxbqK4i1aOecm
         FCoJDMkruyUapWbLj6ZVsvpm32aSdnJTbF783ZdNyKk7rqpMAOTT9pbb4EhGdsdHFCgA
         8Rh24sV7a7eK3Sep/TxgqQC3MZiF4nmDti4TmrclaIkZ9A5TOMbK5mfibjChowl8HJ87
         vKCQ==
X-Gm-Message-State: APjAAAVhI2B88yfDOTg9UwP9P/2VwZjBmEzWbnHiDz315b77Z1hQ9x0K
        3hKZIae3W7x385CfbQxBVHM=
X-Received: by 2002:a63:d017:: with SMTP id z23mr24720347pgf.110.1576993651284;
        Sat, 21 Dec 2019 21:47:31 -0800 (PST)
Received: from debian.net.fpt ([2405:4800:58f7:229b:e8c2:8912:129c:d0d])
        by smtp.gmail.com with ESMTPSA id o2sm10880285pjo.26.2019.12.21.21.47.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 21 Dec 2019 21:47:30 -0800 (PST)
From:   Phong Tran <tranmanphong@gmail.com>
To:     syzbot+514595412b80dc817633@syzkaller.appspotmail.com,
        davem@davemloft.net, gregkh@linuxfoundation.org, oneukum@suse.com
Cc:     allison@lohutok.net, andreyknvl@google.com,
        kstewart@linuxfoundation.org, linux-kernel@vger.kernel.org,
        linux-usb@vger.kernel.org, netdev@vger.kernel.org,
        swinslow@gmail.com, syzkaller-bugs@googlegroups.com,
        tglx@linutronix.de, tranmanphong@gmail.com, zhang.run@zte.com.cn
Subject: [PATCH] ax88172a: fix wrong reading MAC malicious device
Date:   Sun, 22 Dec 2019 12:47:13 +0700
Message-Id: <20191222054713.14887-1-tranmanphong@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <000000000000ab9d07059a410fae@google.com>
References: <000000000000ab9d07059a410fae@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Crash log KASAN: use-after-free Read in asix_suspend

https://syzkaller.appspot.com/text?tag=CrashLog&x=1330a2c6e00000
(unnamed net_device) (uninitialized): Failed to read MAC address: 0

asix_read_cmd() with ret = 0 but this is a error. Fix the checking
return value condition.

Reported-by: syzbot+514595412b80dc817633@syzkaller.appspotmail.com

Tested by:
https://groups.google.com/d/msg/syzkaller-bugs/0hHExZ030LI/yge-2Q_9BAAJ

Signed-off-by: Phong Tran <tranmanphong@gmail.com>
---
 drivers/net/usb/ax88172a.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c
index af3994e0853b..525900896ce0 100644
--- a/drivers/net/usb/ax88172a.c
+++ b/drivers/net/usb/ax88172a.c
@@ -197,6 +197,8 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf)
 	/* Get the MAC address */
 	ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
 	if (ret < ETH_ALEN) {
+		if (ret >= 0)
+			ret = -ENXIO;
 		netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);
 		goto free;
 	}
-- 
2.20.1