Message ID | 20241028074150.112511-1-koichiro.den@canonical.com |
---|---|
Headers | show |
Series | CVE-2021-47101 | expand |
On Mon, Oct 28, 2024 at 04:41:37PM +0900, Koichiro Den wrote: > [Impact] > > asix: fix uninit-value in asix_mdio_read() > > asix_read_cmd() may read less than sizeof(smsr) bytes and in this case > smsr will be uninitialized. > > Fail log: > BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] > BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 > BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 > asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] > asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 > asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 > > [Fix] > > Noble: not affected > Jammy: fixed via stable > Focal: Clean cherry-pick following two prereq commits backporting > Bionic: fix sent to esm ML > Xenial: not affected > Trusty: not affected > > [Test Case] > > Compile tested / Smatch tested on the changed file (with amd64 generic config) [*] > > [*]: warn message found, which is irrelevant to the CVE backport. > $ kchecker drivers/net/usb/asix_common.c > --(snip)-- > CHECK drivers/net/usb/asix_common.c > drivers/net/usb/asix_common.c:634 asix_get_eeprom() warn: potential spectre issue 'eeprom_buff' [w] > > [Where problems could occur] > > This backport affects those who use ASIX USB Ethernet devices, an issue > with it would be visible to the user via unpredicted system behavior or > a system crash especially if some sort of regression will be found for > the prerequisite fix commit in the future. > > [Notes] > > v2: > - Pull a follow-up fix commit from upstream that fixes the first prerequisite > commit "net: asix: fix uninit value bugs". Also, fix [Impact] section in this cover letter. > > Pavel Skripkin (3): > net: asix: fix uninit value bugs > asix: fix wrong return value in asix_check_host_enable() > asix: fix uninit-value in asix_mdio_read() > > drivers/net/usb/asix_common.c | 73 ++++++++++++++++------------------- > 1 file changed, 33 insertions(+), 40 deletions(-) > > -- > 2.43.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
On 10/28/24 15:41, Koichiro Den wrote: > [Impact] > > asix: fix uninit-value in asix_mdio_read() > > asix_read_cmd() may read less than sizeof(smsr) bytes and in this case > smsr will be uninitialized. > > Fail log: > BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] > BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 > BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 > asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] > asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 > asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 Acked-by: Guoqing Jiang <guoqing.jiang@canonical.com> BTW, there is another commit which seems to fix the similar issue. commit 920a9fa27e7805499cfe78491b36fed2322c02ec Author: Pavel Skripkin <paskripkin@gmail.com> Date: Sun Feb 6 21:05:16 2022 +0300 net: asix: add proper error handling of usb read errors Syzbot once again hit uninit value in asix driver. The problem still the same -- asix_read_cmd() reads less bytes, than was requested by caller. Since all read requests are performed via asix_read_cmd() let's catch usb related error there and add __must_check notation to be sure all callers actually check return value. So, this patch adds sanity check inside asix_read_cmd(), that simply checks if bytes read are not less, than was requested and adds missing error handling of asix_read_cmd() all across the driver code. Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter") Not sure if the above is needed as well. Thanks, Guoqing > [Fix] > > Noble: not affected > Jammy: fixed via stable > Focal: Clean cherry-pick following two prereq commits backporting > Bionic: fix sent to esm ML > Xenial: not affected > Trusty: not affected > > [Test Case] > > Compile tested / Smatch tested on the changed file (with amd64 generic config) [*] > > [*]: warn message found, which is irrelevant to the CVE backport. > $ kchecker drivers/net/usb/asix_common.c > --(snip)-- > CHECK drivers/net/usb/asix_common.c > drivers/net/usb/asix_common.c:634 asix_get_eeprom() warn: potential spectre issue 'eeprom_buff' [w] > > [Where problems could occur] > > This backport affects those who use ASIX USB Ethernet devices, an issue > with it would be visible to the user via unpredicted system behavior or > a system crash especially if some sort of regression will be found for > the prerequisite fix commit in the future. > > [Notes] > > v2: > - Pull a follow-up fix commit from upstream that fixes the first prerequisite > commit "net: asix: fix uninit value bugs". Also, fix [Impact] section in this cover letter. > > Pavel Skripkin (3): > net: asix: fix uninit value bugs > asix: fix wrong return value in asix_check_host_enable() > asix: fix uninit-value in asix_mdio_read() > > drivers/net/usb/asix_common.c | 73 ++++++++++++++++------------------- > 1 file changed, 33 insertions(+), 40 deletions(-) >
On 28.10.24 08:41, Koichiro Den wrote: > [Impact] > > asix: fix uninit-value in asix_mdio_read() > > asix_read_cmd() may read less than sizeof(smsr) bytes and in this case > smsr will be uninitialized. > > Fail log: > BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] > BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 > BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 > asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] > asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 > asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 > > [Fix] > > Noble: not affected > Jammy: fixed via stable > Focal: Clean cherry-pick following two prereq commits backporting > Bionic: fix sent to esm ML > Xenial: not affected > Trusty: not affected > > [Test Case] > > Compile tested / Smatch tested on the changed file (with amd64 generic config) [*] > > [*]: warn message found, which is irrelevant to the CVE backport. > $ kchecker drivers/net/usb/asix_common.c > --(snip)-- > CHECK drivers/net/usb/asix_common.c > drivers/net/usb/asix_common.c:634 asix_get_eeprom() warn: potential spectre issue 'eeprom_buff' [w] > > [Where problems could occur] > > This backport affects those who use ASIX USB Ethernet devices, an issue > with it would be visible to the user via unpredicted system behavior or > a system crash especially if some sort of regression will be found for > the prerequisite fix commit in the future. > > [Notes] > > v2: > - Pull a follow-up fix commit from upstream that fixes the first prerequisite > commit "net: asix: fix uninit value bugs". Also, fix [Impact] section in this cover letter. > > Pavel Skripkin (3): > net: asix: fix uninit value bugs > asix: fix wrong return value in asix_check_host_enable() > asix: fix uninit-value in asix_mdio_read() > > drivers/net/usb/asix_common.c | 73 ++++++++++++++++------------------- > 1 file changed, 33 insertions(+), 40 deletions(-) > Applied to focal:linux/master-next. Thanks. -Stefan