From patchwork Fri Oct 25 13:27:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Koichiro Den X-Patchwork-Id: 2002234 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XZk9q6z09z1xwy for ; Sat, 26 Oct 2024 00:27:59 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1t4KM1-0005qA-Rs; Fri, 25 Oct 2024 13:27:49 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1t4KM0-0005pj-IW for kernel-team@lists.ubuntu.com; Fri, 25 Oct 2024 13:27:48 +0000 Received: from mail-pj1-f71.google.com (mail-pj1-f71.google.com [209.85.216.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 257973F162 for ; Fri, 25 Oct 2024 13:27:48 +0000 (UTC) Received: by mail-pj1-f71.google.com with SMTP id 98e67ed59e1d1-2e2ca4fb175so2053491a91.3 for ; Fri, 25 Oct 2024 06:27:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729862866; x=1730467666; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SbdSXm2TPN0uDBbhqrhsu9Iyy5AXdUaPSNoyNFZbHJY=; b=cH/xvHu/BAT6vOjjJs7UAAWqG+PzSOt//uxPZCob9lPaLcRQ4TXz2FZNtdJSeCYUys SSbcW7zKNE8ZNyHmJJieDc2rGoVOaL7Qv85v61gdAECVuzzmG2KtOFiVXpMcS9iEGTJ5 LOcOUacHc9xlwHTZLzyCXKpb7kl/uUTto3ERHjFm8pIiW3J7YPOSodGroLLvN47P0/YR SV5AMxcNOQOsaw/aw6/SYcnGNa8BxepvoLHzKS7Fyz4dTFSkTXRBO44XYuV7FFKNc02a yFBpGvwcNfG3tU1C7b7r43NB8vAGQptGmpUC47CS7c0XGbFQS87N7l+Gql9jK61YHbFx UVtw== X-Gm-Message-State: AOJu0Yym1o07AAIGwX6Dht2TjSNgDhU0vQEpNSC6bEs6uatEgzVdjVSa sovo9QhKq3Ys6Tufgqdc5iW/CDzb4fqBBNlme9vth9mGtjhoxbVUdD47crZsd+LRDBKkGp47y3L NvwTxJIjBEj92bACo5fWLhRFTQd9a3gff4eDFqAypYXabk+9VF/knkdQdoB8zHjLkOaokoFugr2 Az46veYgwDpw== X-Received: by 2002:a17:902:e5ca:b0:20c:b876:5046 with SMTP id d9443c01a7336-20fa9ea37c0mr99935095ad.50.1729862866483; Fri, 25 Oct 2024 06:27:46 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHPi4BlE4oreyhDmXlSWL+zJz9xrEs0bXCEHHCwhyeX5aFjKUlvuVosDafuIWcwzJWYVg45dQ== X-Received: by 2002:a17:902:e5ca:b0:20c:b876:5046 with SMTP id d9443c01a7336-20fa9ea37c0mr99934735ad.50.1729862866022; Fri, 25 Oct 2024 06:27:46 -0700 (PDT) Received: from localhost.localdomain ([240f:74:7be:1:9b52:57a4:8bdb:99d3]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-210bbf46cd4sm9319695ad.41.2024.10.25.06.27.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Oct 2024 06:27:45 -0700 (PDT) From: Koichiro Den To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/2] net: asix: fix uninit value bugs Date: Fri, 25 Oct 2024 22:27:14 +0900 Message-ID: <20241025132720.2838693-2-koichiro.den@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241025132720.2838693-1-koichiro.den@canonical.com> References: <20241025132720.2838693-1-koichiro.den@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pavel Skripkin Syzbot reported uninit-value in asix_mdio_read(). The problem was in missing error handling. asix_read_cmd() should initialize passed stack variable smsr, but it can fail in some cases. Then while condidition checks possibly uninit smsr variable. Since smsr is uninitialized stack variable, driver can misbehave, because smsr will be random in case of asix_read_cmd() failure. Fix it by adding error handling and just continue the loop instead of checking uninit value. Added helper function for checking Host_En bit, since wrong loop was used in 4 functions and there is no need in copy-pasting code parts. Cc: Robert Foss Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter") Reported-by: syzbot+a631ec9e717fb0423053@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller (backported from commit a786e3195d6af183033e86f0518ffd2c51c0e8ac) [koichiroden: Adjusted context due to missing commit d275afb66371 ("net: usb: asix: add error handling for asix_mdio_* functions"), which in turn depends on e532a096be0e ("net: usb: asix: ax88772: add phylib support"). Ref. [PATCH net-next v2 0/8] port asix ax88772 to the PHYlib https://lore.kernel.org/linux-usb/20210607082727.26045-1-o.rempel@pengutronix.de/] CVE-2021-47101 Signed-off-by: Koichiro Den --- drivers/net/usb/asix_common.c | 71 +++++++++++++++-------------------- 1 file changed, 31 insertions(+), 40 deletions(-) diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c index 7bc6e8f856fe..12ce52600eaf 100644 --- a/drivers/net/usb/asix_common.c +++ b/drivers/net/usb/asix_common.c @@ -63,6 +63,29 @@ void asix_write_cmd_async(struct usbnet *dev, u8 cmd, u16 value, u16 index, value, index, data, size); } +static int asix_check_host_enable(struct usbnet *dev, int in_pm) +{ + int i, ret; + u8 smsr; + + for (i = 0; i < 30; ++i) { + ret = asix_set_sw_mii(dev, in_pm); + if (ret == -ENODEV || ret == -ETIMEDOUT) + break; + usleep_range(1000, 1100); + ret = asix_read_cmd(dev, AX_CMD_STATMNGSTS_REG, + 0, 0, 1, &smsr, in_pm); + if (ret == -ENODEV) + break; + else if (ret < 0) + continue; + else if (smsr & AX_HOST_EN) + break; + } + + return ret; +} + static void reset_asix_rx_fixup_info(struct asix_rx_fixup_info *rx) { /* Reset the variables that have a lifetime outside of @@ -445,19 +468,11 @@ int asix_mdio_read(struct net_device *netdev, int phy_id, int loc) { struct usbnet *dev = netdev_priv(netdev); __le16 res; - u8 smsr; - int i = 0; int ret; mutex_lock(&dev->phy_mutex); - do { - ret = asix_set_sw_mii(dev, 0); - if (ret == -ENODEV || ret == -ETIMEDOUT) - break; - usleep_range(1000, 1100); - ret = asix_read_cmd(dev, AX_CMD_STATMNGSTS_REG, - 0, 0, 1, &smsr, 0); - } while (!(smsr & AX_HOST_EN) && (i++ < 30) && (ret != -ENODEV)); + + ret = asix_check_host_enable(dev, 0); if (ret == -ENODEV || ret == -ETIMEDOUT) { mutex_unlock(&dev->phy_mutex); return ret; @@ -478,22 +493,14 @@ void asix_mdio_write(struct net_device *netdev, int phy_id, int loc, int val) { struct usbnet *dev = netdev_priv(netdev); __le16 res = cpu_to_le16(val); - u8 smsr; - int i = 0; int ret; netdev_dbg(dev->net, "asix_mdio_write() phy_id=0x%02x, loc=0x%02x, val=0x%04x\n", phy_id, loc, val); mutex_lock(&dev->phy_mutex); - do { - ret = asix_set_sw_mii(dev, 0); - if (ret == -ENODEV) - break; - usleep_range(1000, 1100); - ret = asix_read_cmd(dev, AX_CMD_STATMNGSTS_REG, - 0, 0, 1, &smsr, 0); - } while (!(smsr & AX_HOST_EN) && (i++ < 30) && (ret != -ENODEV)); + + ret = asix_check_host_enable(dev, 0); if (ret == -ENODEV) { mutex_unlock(&dev->phy_mutex); return; @@ -509,19 +516,11 @@ int asix_mdio_read_nopm(struct net_device *netdev, int phy_id, int loc) { struct usbnet *dev = netdev_priv(netdev); __le16 res; - u8 smsr; - int i = 0; int ret; mutex_lock(&dev->phy_mutex); - do { - ret = asix_set_sw_mii(dev, 1); - if (ret == -ENODEV || ret == -ETIMEDOUT) - break; - usleep_range(1000, 1100); - ret = asix_read_cmd(dev, AX_CMD_STATMNGSTS_REG, - 0, 0, 1, &smsr, 1); - } while (!(smsr & AX_HOST_EN) && (i++ < 30) && (ret != -ENODEV)); + + ret = asix_check_host_enable(dev, 1); if (ret == -ENODEV || ret == -ETIMEDOUT) { mutex_unlock(&dev->phy_mutex); return ret; @@ -543,22 +542,14 @@ asix_mdio_write_nopm(struct net_device *netdev, int phy_id, int loc, int val) { struct usbnet *dev = netdev_priv(netdev); __le16 res = cpu_to_le16(val); - u8 smsr; - int i = 0; int ret; netdev_dbg(dev->net, "asix_mdio_write() phy_id=0x%02x, loc=0x%02x, val=0x%04x\n", phy_id, loc, val); mutex_lock(&dev->phy_mutex); - do { - ret = asix_set_sw_mii(dev, 1); - if (ret == -ENODEV) - break; - usleep_range(1000, 1100); - ret = asix_read_cmd(dev, AX_CMD_STATMNGSTS_REG, - 0, 0, 1, &smsr, 1); - } while (!(smsr & AX_HOST_EN) && (i++ < 30) && (ret != -ENODEV)); + + ret = asix_check_host_enable(dev, 1); if (ret == -ENODEV) { mutex_unlock(&dev->phy_mutex); return; From patchwork Fri Oct 25 13:27:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Koichiro Den X-Patchwork-Id: 2002236 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XZk9r6jbYz1xxK for ; Sat, 26 Oct 2024 00:28:00 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1t4KM5-0005rP-1f; Fri, 25 Oct 2024 13:27:53 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1t4KM1-0005q1-KT for kernel-team@lists.ubuntu.com; Fri, 25 Oct 2024 13:27:49 +0000 Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 476023F162 for ; Fri, 25 Oct 2024 13:27:49 +0000 (UTC) Received: by mail-pl1-f198.google.com with SMTP id d9443c01a7336-20c3d9a0eb2so25616565ad.0 for ; Fri, 25 Oct 2024 06:27:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729862868; x=1730467668; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6d2pC1L+V2tUXPTxYLRO4JNT+sWfa0R8idRKXpv/Mqg=; b=LmBuDAurfJiaYxawnlbm0XAG8WXlBsHdLCA9dp5fkyCnjJSnK2rBq8OccRpWMQXNWC nedqr999TeS+Iuv/cujYODU+9yCqe9T5XCgZX0Vvx/AslmBWyl+l/Wuc3w+64O+dYjQt m/q2UvCyOga29p6R1uv5ntWRz9rFJrW8G0Nx9tnsrwj4bd11wbgFkGJDGhcnInF2eS1a cURi5GMx6DsZksbOP8ZmpsY7WtusnqoHFyit5zYHOFqEx8tmE9e0dieOwIzT47JfiI4Q zbxMXXhLTzH1eEg1858GgXukuav/bXdR7MLNYQzG+TZI0vb6o2ceWdLx1n99tNPkcGRI dzGQ== X-Gm-Message-State: AOJu0YxgvtN5Y1oNZpfLtLMDm+Iav5JqKoUhX66qhxpY1UJFMOeijSJm vSgnoSK0bYcqqvmJJXILPKTNPVRuo1XqxiJPUk5eI/8sxoCww6OtDahpXzV9oBCM0mLyrbuMp/i bf2HEOEawWN3wHc8ArOvAgu46RXVZK2YMRPWwW9cDWIqlQswRea/j5HsUfBdfIXi1H/SRzbn1AY hnEZqVD1M9LA== X-Received: by 2002:a17:902:e883:b0:20e:5ab1:2c80 with SMTP id d9443c01a7336-20fa9de9fd5mr145287705ad.7.1729862867734; Fri, 25 Oct 2024 06:27:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH+oz8P+skXVow4NRbp/IVes+8BrKSvKFgpu5H4Aay1c5de39bPEMJOxzSIkdmH98gGDWoQXw== X-Received: by 2002:a17:902:e883:b0:20e:5ab1:2c80 with SMTP id d9443c01a7336-20fa9de9fd5mr145287385ad.7.1729862867393; Fri, 25 Oct 2024 06:27:47 -0700 (PDT) Received: from localhost.localdomain ([240f:74:7be:1:9b52:57a4:8bdb:99d3]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-210bbf46cd4sm9319695ad.41.2024.10.25.06.27.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Oct 2024 06:27:47 -0700 (PDT) From: Koichiro Den To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 2/2] asix: fix uninit-value in asix_mdio_read() Date: Fri, 25 Oct 2024 22:27:15 +0900 Message-ID: <20241025132720.2838693-3-koichiro.den@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241025132720.2838693-1-koichiro.den@canonical.com> References: <20241025132720.2838693-1-koichiro.den@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pavel Skripkin asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized. Fail log: BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter") Reported-and-tested-by: syzbot+f44badb06036334e867a@syzkaller.appspotmail.com Reviewed-by: Andrew Lunn Signed-off-by: Pavel Skripkin Link: https://lore.kernel.org/r/8966e3b514edf39857dd93603fc79ec02e000a75.1640117288.git.paskripkin@gmail.com Signed-off-by: Jakub Kicinski (cherry picked from commit 8035b1a2a37a29d8c717ef84fca8fe7278bc9f03) CVE-2021-47101 Signed-off-by: Koichiro Den --- drivers/net/usb/asix_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c index 12ce52600eaf..11554bce19b0 100644 --- a/drivers/net/usb/asix_common.c +++ b/drivers/net/usb/asix_common.c @@ -77,7 +77,7 @@ static int asix_check_host_enable(struct usbnet *dev, int in_pm) 0, 0, 1, &smsr, in_pm); if (ret == -ENODEV) break; - else if (ret < 0) + else if (ret < sizeof(smsr)) continue; else if (smsr & AX_HOST_EN) break;