mbox series

[SRU,F,v2,0/3] CVE-2021-47101

Message ID 20241028074150.112511-1-koichiro.den@canonical.com
Headers show
Series CVE-2021-47101 | expand

Message

Koichiro Den Oct. 28, 2024, 7:41 a.m. UTC
[Impact]

asix: fix uninit-value in asix_mdio_read()

asix_read_cmd() may read less than sizeof(smsr) bytes and in this case
smsr will be uninitialized.

Fail log:
BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497

[Fix]

Noble:  not affected
Jammy:  fixed via stable
Focal:  Clean cherry-pick following two prereq commits backporting
Bionic: fix sent to esm ML
Xenial: not affected
Trusty: not affected

[Test Case]

Compile tested / Smatch tested on the changed file (with amd64 generic config) [*]

[*]: warn message found, which is irrelevant to the CVE backport.
     $ kchecker drivers/net/usb/asix_common.c
       --(snip)--
       CHECK   drivers/net/usb/asix_common.c
     drivers/net/usb/asix_common.c:634 asix_get_eeprom() warn: potential spectre issue 'eeprom_buff' [w]

[Where problems could occur]

This backport affects those who use ASIX USB Ethernet devices, an issue
with it would be visible to the user via unpredicted system behavior or
a system crash especially if some sort of regression will be found for
the prerequisite fix commit in the future.

[Notes]

v2:
  - Pull a follow-up fix commit from upstream that fixes the first prerequisite
    commit "net: asix: fix uninit value bugs". Also, fix [Impact] section in this cover letter.

Pavel Skripkin (3):
  net: asix: fix uninit value bugs
  asix: fix wrong return value in asix_check_host_enable()
  asix: fix uninit-value in asix_mdio_read()

 drivers/net/usb/asix_common.c | 73 ++++++++++++++++-------------------
 1 file changed, 33 insertions(+), 40 deletions(-)

Comments

Manuel Diewald Oct. 28, 2024, 1:56 p.m. UTC | #1
On Mon, Oct 28, 2024 at 04:41:37PM +0900, Koichiro Den wrote:
> [Impact]
> 
> asix: fix uninit-value in asix_mdio_read()
> 
> asix_read_cmd() may read less than sizeof(smsr) bytes and in this case
> smsr will be uninitialized.
> 
> Fail log:
> BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
> BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
> BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
>  asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
>  asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
>  asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
> 
> [Fix]
> 
> Noble:  not affected
> Jammy:  fixed via stable
> Focal:  Clean cherry-pick following two prereq commits backporting
> Bionic: fix sent to esm ML
> Xenial: not affected
> Trusty: not affected
> 
> [Test Case]
> 
> Compile tested / Smatch tested on the changed file (with amd64 generic config) [*]
> 
> [*]: warn message found, which is irrelevant to the CVE backport.
>      $ kchecker drivers/net/usb/asix_common.c
>        --(snip)--
>        CHECK   drivers/net/usb/asix_common.c
>      drivers/net/usb/asix_common.c:634 asix_get_eeprom() warn: potential spectre issue 'eeprom_buff' [w]
> 
> [Where problems could occur]
> 
> This backport affects those who use ASIX USB Ethernet devices, an issue
> with it would be visible to the user via unpredicted system behavior or
> a system crash especially if some sort of regression will be found for
> the prerequisite fix commit in the future.
> 
> [Notes]
> 
> v2:
>   - Pull a follow-up fix commit from upstream that fixes the first prerequisite
>     commit "net: asix: fix uninit value bugs". Also, fix [Impact] section in this cover letter.
> 
> Pavel Skripkin (3):
>   net: asix: fix uninit value bugs
>   asix: fix wrong return value in asix_check_host_enable()
>   asix: fix uninit-value in asix_mdio_read()
> 
>  drivers/net/usb/asix_common.c | 73 ++++++++++++++++-------------------
>  1 file changed, 33 insertions(+), 40 deletions(-)
> 
> -- 
> 2.43.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
Guoqing Jiang Oct. 29, 2024, 10:56 a.m. UTC | #2
On 10/28/24 15:41, Koichiro Den wrote:
> [Impact]
>
> asix: fix uninit-value in asix_mdio_read()
>
> asix_read_cmd() may read less than sizeof(smsr) bytes and in this case
> smsr will be uninitialized.
>
> Fail log:
> BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
> BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
> BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
>   asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
>   asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
>   asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497

Acked-by: Guoqing Jiang <guoqing.jiang@canonical.com>

BTW, there is another commit which seems to fix the similar issue.

commit 920a9fa27e7805499cfe78491b36fed2322c02ec
Author: Pavel Skripkin <paskripkin@gmail.com>
Date:   Sun Feb 6 21:05:16 2022 +0300

     net: asix: add proper error handling of usb read errors

     Syzbot once again hit uninit value in asix driver. The problem 
still the
     same -- asix_read_cmd() reads less bytes, than was requested by caller.

     Since all read requests are performed via asix_read_cmd() let's catch
     usb related error there and add __must_check notation to be sure all
     callers actually check return value.

     So, this patch adds sanity check inside asix_read_cmd(), that simply
     checks if bytes read are not less, than was requested and adds missing
     error handling of asix_read_cmd() all across the driver code.

     Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter")

Not sure if the above is needed as well.

Thanks,
Guoqing

> [Fix]
>
> Noble:  not affected
> Jammy:  fixed via stable
> Focal:  Clean cherry-pick following two prereq commits backporting
> Bionic: fix sent to esm ML
> Xenial: not affected
> Trusty: not affected
>
> [Test Case]
>
> Compile tested / Smatch tested on the changed file (with amd64 generic config) [*]
>
> [*]: warn message found, which is irrelevant to the CVE backport.
>       $ kchecker drivers/net/usb/asix_common.c
>         --(snip)--
>         CHECK   drivers/net/usb/asix_common.c
>       drivers/net/usb/asix_common.c:634 asix_get_eeprom() warn: potential spectre issue 'eeprom_buff' [w]
>
> [Where problems could occur]
>
> This backport affects those who use ASIX USB Ethernet devices, an issue
> with it would be visible to the user via unpredicted system behavior or
> a system crash especially if some sort of regression will be found for
> the prerequisite fix commit in the future.
>
> [Notes]
>
> v2:
>    - Pull a follow-up fix commit from upstream that fixes the first prerequisite
>      commit "net: asix: fix uninit value bugs". Also, fix [Impact] section in this cover letter.
>
> Pavel Skripkin (3):
>    net: asix: fix uninit value bugs
>    asix: fix wrong return value in asix_check_host_enable()
>    asix: fix uninit-value in asix_mdio_read()
>
>   drivers/net/usb/asix_common.c | 73 ++++++++++++++++-------------------
>   1 file changed, 33 insertions(+), 40 deletions(-)
>
Stefan Bader Nov. 11, 2024, 10:30 a.m. UTC | #3
On 28.10.24 08:41, Koichiro Den wrote:
> [Impact]
> 
> asix: fix uninit-value in asix_mdio_read()
> 
> asix_read_cmd() may read less than sizeof(smsr) bytes and in this case
> smsr will be uninitialized.
> 
> Fail log:
> BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
> BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
> BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
>   asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
>   asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
>   asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
> 
> [Fix]
> 
> Noble:  not affected
> Jammy:  fixed via stable
> Focal:  Clean cherry-pick following two prereq commits backporting
> Bionic: fix sent to esm ML
> Xenial: not affected
> Trusty: not affected
> 
> [Test Case]
> 
> Compile tested / Smatch tested on the changed file (with amd64 generic config) [*]
> 
> [*]: warn message found, which is irrelevant to the CVE backport.
>       $ kchecker drivers/net/usb/asix_common.c
>         --(snip)--
>         CHECK   drivers/net/usb/asix_common.c
>       drivers/net/usb/asix_common.c:634 asix_get_eeprom() warn: potential spectre issue 'eeprom_buff' [w]
> 
> [Where problems could occur]
> 
> This backport affects those who use ASIX USB Ethernet devices, an issue
> with it would be visible to the user via unpredicted system behavior or
> a system crash especially if some sort of regression will be found for
> the prerequisite fix commit in the future.
> 
> [Notes]
> 
> v2:
>    - Pull a follow-up fix commit from upstream that fixes the first prerequisite
>      commit "net: asix: fix uninit value bugs". Also, fix [Impact] section in this cover letter.
> 
> Pavel Skripkin (3):
>    net: asix: fix uninit value bugs
>    asix: fix wrong return value in asix_check_host_enable()
>    asix: fix uninit-value in asix_mdio_read()
> 
>   drivers/net/usb/asix_common.c | 73 ++++++++++++++++-------------------
>   1 file changed, 33 insertions(+), 40 deletions(-)
> 

Applied to focal:linux/master-next. Thanks.

-Stefan