Re: [Linux-kernel-mentees][PATCH] net: usb: rtl8150: prevent set_ethernet_addr from setting uninit address
From: Anant Thazhemadam
Date: Wed Sep 30 2020 - 00:02:27 EST
On 29/09/20 2:17 pm, Petko Manolov wrote:
> On 20-09-29 13:50:28, Anant Thazhemadam wrote:
>> When get_registers() fails (which happens when usb_control_msg() fails)
>> in set_ethernet_addr(), the uninitialized value of node_id gets copied
>> as the address.
>>
>> Checking for the return values appropriately, and handling the case
>> wherein set_ethernet_addr() fails like this, helps in avoiding the
>> mac address being incorrectly set in this manner.
>>
>> Reported-by: syzbot+abbc768b560c84d92fd3@xxxxxxxxxxxxxxxxxxxxxxxxx
>> Tested-by: syzbot+abbc768b560c84d92fd3@xxxxxxxxxxxxxxxxxxxxxxxxx
>> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@xxxxxxxxx>
>> ---
>> drivers/net/usb/rtl8150.c | 24 ++++++++++++++++--------
>> 1 file changed, 16 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
>> index 733f120c852b..e542a9ab2ff8 100644
>> --- a/drivers/net/usb/rtl8150.c
>> +++ b/drivers/net/usb/rtl8150.c
>> @@ -150,7 +150,7 @@ static const char driver_name [] = "rtl8150";
>> ** device related part of the code
>> **
>> */
>> -static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
>> +static int get_registers(rtl8150_t *dev, u16 indx, u16 size, void *data)
>> {
>> void *buf;
>> int ret;
>> @@ -274,12 +274,17 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg)
>> return 1;
>> }
>>
>> -static inline void set_ethernet_addr(rtl8150_t * dev)
>> +static bool set_ethernet_addr(rtl8150_t *dev)
>> {
>> u8 node_id[6];
>> + int ret;
>>
>> - get_registers(dev, IDR, sizeof(node_id), node_id);
>> - memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
>> + ret = get_registers(dev, IDR, sizeof(node_id), node_id);
>> + if (ret > 0 && ret <= sizeof(node_id)) {
> get_registers() was recently modified to use usb_control_msg_recv() which does
> not return partial reads. IOW you'll either get negative value or
> sizeof(node_id). Since it is good to be paranoid i'd convert the above check
> to:
>
> if (ret == sizeof(node_id)) {
>
> and fail in any other case. Apart from this minor detail the rest of the patch
> looks good to me.
>
> Acked-by: Petko Manolov
Got it. I'll be sure to include this in a v2, and send that in soon enough.
Thanks for pointing that out. :)
Thanks,
Anant