diff mbox series

net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read

Message ID 20231009-topic-dm9601_uninit_mdio_read-v1-1-d4d775e24e3b@gmail.com
State New
Headers
Series net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read |

Commit Message

Javier Carrasco Oct. 9, 2023, 6:52 p.m. UTC 
  syzbot has found an uninit-value bug triggered by the dm9601 driver [1].

This error happens because the variable res is not updated if the call
to dm_read_shared_word returns an error or if no data is read (see
__usbnet_read_cmd()). In this particular case -EPROTO was returned and
res stayed uninitialized.

This can be avoided by checking the return value of dm_read_shared_word
and returning an error if the read operation failed or no data was read.

[1] https://syzkaller.appspot.com/bug?extid=1f53a30781af65d2c955

Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Reported-and-tested-by: syzbot+1f53a30781af65d2c955@syzkaller.appspotmail.com
---
 drivers/net/usb/dm9601.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)


---
base-commit: 94f6f0550c625fab1f373bb86a6669b45e9748b3
change-id: 20231009-topic-dm9601_uninit_mdio_read-a15918ffbd6f

Best regards,

Comments

Peter Korsgaard Oct. 9, 2023, 8:48 p.m. UTC | #1 
>>>>> "Javier" == Javier Carrasco <javier.carrasco.cruz@gmail.com> writes:

 > syzbot has found an uninit-value bug triggered by the dm9601 driver [1].
 > This error happens because the variable res is not updated if the call
 > to dm_read_shared_word returns an error or if no data is read (see
 > __usbnet_read_cmd()). In this particular case -EPROTO was returned and
 > res stayed uninitialized.

 > This can be avoided by checking the return value of dm_read_shared_word
 > and returning an error if the read operation failed or no data was read.

 > [1] https://syzkaller.appspot.com/bug?extid=1f53a30781af65d2c955

 > Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
 > Reported-and-tested-by: syzbot+1f53a30781af65d2c955@syzkaller.appspotmail.com
 > ---
 >  drivers/net/usb/dm9601.c | 9 ++++++++-
 >  1 file changed, 8 insertions(+), 1 deletion(-)

 > diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
 > index 48d7d278631e..e223daa93229 100644
 > --- a/drivers/net/usb/dm9601.c
 > +++ b/drivers/net/usb/dm9601.c
 > @@ -222,13 +222,20 @@ static int dm9601_mdio_read(struct net_device *netdev, int phy_id, int loc)
 >  	struct usbnet *dev = netdev_priv(netdev);
 
 >  	__le16 res;
 > +	int err;
 
 >  	if (phy_id) {
 >  		netdev_dbg(dev->net, "Only internal phy supported\n");
 >  		return 0;
 >  	}
 
 > -	dm_read_shared_word(dev, 1, loc, &res);
 > +	err = dm_read_shared_word(dev, 1, loc, &res);
 > +	if (err <= 0) {
 > +		if (err == 0)
 > +			err = -ENODATA;

Looking at dm_read(), it doesn't look like we can end up here with err
== 0, but OK.

Acked-by: Peter Korsgaard <peter@korsgaard.com>
Javier Carrasco Oct. 9, 2023, 9:48 p.m. UTC | #2 
Hi Peter,

On 09.10.23 22:48, Peter Korsgaard wrote:
> 
>  > syzbot has found an uninit-value bug triggered by the dm9601 driver [1].
>  > This error happens because the variable res is not updated if the call
>  > to dm_read_shared_word returns an error or if no data is read (see
>  > __usbnet_read_cmd()). In this particular case -EPROTO was returned and
>  > res stayed uninitialized.
> 
>  > This can be avoided by checking the return value of dm_read_shared_word
>  > and returning an error if the read operation failed or no data was read.
> 
>  > [1] https://syzkaller.appspot.com/bug?extid=1f53a30781af65d2c955
> 
>  > Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
>  > Reported-and-tested-by: syzbot+1f53a30781af65d2c955@syzkaller.appspotmail.com
>  > ---
>  >  drivers/net/usb/dm9601.c | 9 ++++++++-
>  >  1 file changed, 8 insertions(+), 1 deletion(-)
> 
>  > diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
>  > index 48d7d278631e..e223daa93229 100644
>  > --- a/drivers/net/usb/dm9601.c
>  > +++ b/drivers/net/usb/dm9601.c
>  > @@ -222,13 +222,20 @@ static int dm9601_mdio_read(struct net_device *netdev, int phy_id, int loc) !
>  >  	struct usbnet *dev = netdev_priv(netdev);
>  
>  >  	__le16 res;
>  > +	int err;
>  
>  >  	if (phy_id) {
>  >  		netdev_dbg(dev->net, "Only internal phy supported\n");
>  >  		return 0;
>  >  	}
>  
>  > -	dm_read_shared_word(dev, 1, loc, &res);
>  > +	err = dm_read_shared_word(dev, 1, loc, &res);
>  > +	if (err <= 0) {
>  > +		if (err == 0)
>  > +			err = -ENODATA;
> 
> Looking at dm_read(), it doesn't look like we can end up here with err
> == 0, but OK.You are right, I just simulated the err = 0 value from
__usbnet_read_cmd() and in this case it is harmless because dm_read is
called with length != 0 (in dm_read_shared_word either 1 or 2) and
therefore it returns -EINVAL. A silly case where this would fail would
be if length == 0, which would be wrong anyways.

So I will remove the err == 0 case for v2.

Thanks a lot for your feedback.

> Acked-by: Peter Korsgaard <peter@korsgaard.com>
> 
Best regards,
Javier Carrasco
diff mbox series

Patch

diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
index 48d7d278631e..e223daa93229 100644
--- a/drivers/net/usb/dm9601.c
+++ b/drivers/net/usb/dm9601.c
@@ -222,13 +222,20 @@  static int dm9601_mdio_read(struct net_device *netdev, int phy_id, int loc)
 	struct usbnet *dev = netdev_priv(netdev);
 
 	__le16 res;
+	int err;
 
 	if (phy_id) {
 		netdev_dbg(dev->net, "Only internal phy supported\n");
 		return 0;
 	}
 
-	dm_read_shared_word(dev, 1, loc, &res);
+	err = dm_read_shared_word(dev, 1, loc, &res);
+	if (err <= 0) {
+		if (err == 0)
+			err = -ENODATA;
+		netdev_err(dev->net, "MDIO read error: %d\n", err);
+		return err;
+	}
 
 	netdev_dbg(dev->net,
 		   "dm9601_mdio_read() phy_id=0x%02x, loc=0x%02x, returns=0x%04x\n",