Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp892125pxy; Sun, 1 Aug 2021 05:44:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz1Sz4qAOyQsgDBd2uIKCwnmkUtRxRqnfX4/6vpwLDQmmrakOc/GU836uW2wrYINXz1XHJL X-Received: by 2002:a05:6402:3089:: with SMTP id de9mr13312317edb.167.1627821847443; Sun, 01 Aug 2021 05:44:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627821847; cv=none; d=google.com; s=arc-20160816; b=Ft0p2HuT4pawWRi5eoOaeiOMImp4mQd+6QegBBKSm+YJ2fJBJX+jdrSx9qsAFhokcP uv8+wirgd+Pqfzn/LnRhEr7GDeAY9UWBVtmwEqUUJ804jd7gkCTspUrKgPf7Gi+VM3Dd dboNbftoXyE4vGQtOwI1F3bJ4aI7aldKsaW7eZj6B0BMjs6pWJa/2rkbZnkD3IxWmUL0 gDjj5aGs3+ynuCGoMqx+Ly7G4QPKeguDLWioH6hk2J++RdvLJA+oJWtEiupekuu8dvc8 LjmQtmLMrBY72MqWiKsXOptGV2hLWGC18R8uEHzDQNn/SANfdLPP7DAZcM932CLwfGor YgZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=qD0SaqUGLbpCXnxKQhYAIh55AI4eaqb7RBu5u1Fgycg=; b=Vb6ZfkjOrUEhTN6I9gLk+E+sjTuuBsjuGbVyfgphQMVikdQD5YknPQrt3nFwW9JXVR 4PPhaDraJyxHS5n7Hg76UdRhxaZVMlar7Z+O18KUu1J1JYURN+Z2a+LPNgJVKZRiXUHE KECHO9EvmsivIxCC6HP1v3yKC1Es1TDmJ+VXYg/dShF4ecc4zhE5Ulo+pDo2JJQwAGWU nacB9phgSYlCE0DwmOsGe4FUsUnPP0irEiUkelkavpRT8v5nRP5SD6pfIvfCPgN0Gu63 ioHXtUsnrGuc/MP9AqOdOMt4XJnEI1zr7Q+u7Zw5uYuYqarir2eDHJspNS9BSNwHu95G Jshg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@nucleusys.com header.s=x header.b=IRidOk1X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w5si8281300edv.200.2021.08.01.05.43.13; Sun, 01 Aug 2021 05:44:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@nucleusys.com header.s=x header.b=IRidOk1X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231919AbhHAMgt (ORCPT + 99 others); Sun, 1 Aug 2021 08:36:49 -0400 Received: from lan.nucleusys.com ([92.247.61.126]:38836 "EHLO zzt.nucleusys.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S231802AbhHAMgt (ORCPT ); Sun, 1 Aug 2021 08:36:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nucleusys.com; s=x; h=In-Reply-To:Content-Type:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qD0SaqUGLbpCXnxKQhYAIh55AI4eaqb7RBu5u1Fgycg=; b=IRidOk1XEwdiv7peuu2PYqd7f8 6fNmZ9dbqzc+lyEwenVQya068KgR4Rw9jAjKYr7OjzPJ799gouZIIxkWJ8AVvOC8eQOtoMCrntQ8/ FGsx/wilz0IbLxvQXmN9C6y15wMAoXHrsmhpF/HdG8lp0Z/qUXLdc4SGBTTKCRGLUaOg=; Received: from [94.26.108.4] (helo=carbon) by zzt.nucleusys.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mAAhg-0000OU-Df; Sun, 01 Aug 2021 15:36:29 +0300 Date: Sun, 1 Aug 2021 15:36:27 +0300 From: Petko Manolov To: Pavel Skripkin Cc: davem@davemloft.net, kuba@kernel.org, linux-usb@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+02c9f70f3afae308464a@syzkaller.appspotmail.com Subject: Re: [PATCH] net: pegasus: fix uninit-value in get_interrupt_interval Message-ID: References: <20210730214411.1973-1-paskripkin@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210730214411.1973-1-paskripkin@gmail.com> X-Spam_score: -1.0 X-Spam_bar: - X-Spam_report: Spam detection software, running on the system "zzt.nucleusys.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: On 21-07-31 00:44:11, Pavel Skripkin wrote: > Syzbot reported uninit value pegasus_probe(). The problem was in missing > error handling. > > get_interrupt_interval() internally calls read_eprom_word() [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 21-07-31 00:44:11, Pavel Skripkin wrote: > Syzbot reported uninit value pegasus_probe(). The problem was in missing > error handling. > > get_interrupt_interval() internally calls read_eprom_word() which can > fail in some cases. For example: failed to receive usb control message. > These cases should be handled to prevent uninit value bug, since > read_eprom_word() will not initialize passed stack variable in case of > internal failure. Well, this is most definitelly a bug. ACK! Petko > Fail log: > > BUG: KMSAN: uninit-value in get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline] > BUG: KMSAN: uninit-value in pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152 > CPU: 1 PID: 825 Comm: kworker/1:1 Not tainted 5.12.0-rc6-syzkaller #0 > ... > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:79 [inline] > dump_stack+0x24c/0x2e0 lib/dump_stack.c:120 > kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 > __msan_warning+0x5c/0xa0 mm/kmsan/kmsan_instr.c:197 > get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline] > pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152 > .... > > Local variable ----data.i@pegasus_probe created at: > get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline] > pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152 > get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline] > pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152 > > Reported-and-tested-by: syzbot+02c9f70f3afae308464a@syzkaller.appspotmail.com > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Pavel Skripkin > --- > drivers/net/usb/pegasus.c | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c > index 9a907182569c..bc2dbf86496b 100644 > --- a/drivers/net/usb/pegasus.c > +++ b/drivers/net/usb/pegasus.c > @@ -735,12 +735,16 @@ static inline void disable_net_traffic(pegasus_t *pegasus) > set_registers(pegasus, EthCtrl0, sizeof(tmp), &tmp); > } > > -static inline void get_interrupt_interval(pegasus_t *pegasus) > +static inline int get_interrupt_interval(pegasus_t *pegasus) > { > u16 data; > u8 interval; > + int ret; > + > + ret = read_eprom_word(pegasus, 4, &data); > + if (ret < 0) > + return ret; > > - read_eprom_word(pegasus, 4, &data); > interval = data >> 8; > if (pegasus->usb->speed != USB_SPEED_HIGH) { > if (interval < 0x80) { > @@ -755,6 +759,8 @@ static inline void get_interrupt_interval(pegasus_t *pegasus) > } > } > pegasus->intr_interval = interval; > + > + return 0; > } > > static void set_carrier(struct net_device *net) > @@ -1149,7 +1155,9 @@ static int pegasus_probe(struct usb_interface *intf, > | NETIF_MSG_PROBE | NETIF_MSG_LINK); > > pegasus->features = usb_dev_id[dev_index].private; > - get_interrupt_interval(pegasus); > + res = get_interrupt_interval(pegasus); > + if (res) > + goto out2; > if (reset_mac(pegasus)) { > dev_err(&intf->dev, "can't reset MAC\n"); > res = -EIO; > -- > 2.32.0 > >