Re: KMSAN: uninit-value in smsc75xx_bind

From: Oliver Neukum
Date: Wed Aug 14 2019 - 06:16:11 EST

Next message: Jan Kara: "Re: [RFC PATCH v2 00/19] RDMA/FS DAX truncate proposal V1,000,002 ;-)"
Previous message: Lorenzo Pieralisi: "Re: [PATCH] PCI: pci-hyperv: fix build errors on non-SYSFS config"
In reply to: Andrey Konovalov: "Re: KMSAN: uninit-value in smsc75xx_bind"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Dienstag, den 13.08.2019, 17:08 +0200 schrieb Andrey Konovalov:
> On Tue, Aug 13, 2019 at 2:43 PM Oliver Neukum <oneukum@xxxxxxxx> wrote:
> >
> >
> > Hi,
> >
> > this looks like a false positive to me.
> > The offending code is likely this:
> >
> > if (size) {
> > buf = kmalloc(size, GFP_KERNEL);
> > if (!buf)
> > goto out;
> > }
> >
> > err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
> > cmd, reqtype, value, index, buf, size,
> > USB_CTRL_GET_TIMEOUT);
> >
> > which uses 'buf' uninitialized. But it is used for input.
> > What is happening here?
>
> AFAICS, the uninitialized use of buf that KMSAN points out is in the
> "if (buf & PMT_CTL_DEV_RDY)" statement in smsc75xx_wait_ready(). Does
> __smsc75xx_read_reg/usb_control_msg() always initialize buf? Can it
> just initialize the first few bytes for example?
>

Hi,

you are unfortunately right and this is not the only driver vulnerable
in this way. I am going through them.

Regards
Oliver

Next message: Jan Kara: "Re: [RFC PATCH v2 00/19] RDMA/FS DAX truncate proposal V1,000,002 ;-)"
Previous message: Lorenzo Pieralisi: "Re: [PATCH] PCI: pci-hyperv: fix build errors on non-SYSFS config"
In reply to: Andrey Konovalov: "Re: KMSAN: uninit-value in smsc75xx_bind"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]