Re: KMSAN: uninit-value in smsc75xx_bind
From: Oliver Neukum
Date: Wed Aug 14 2019 - 06:16:11 EST
Am Dienstag, den 13.08.2019, 17:08 +0200 schrieb Andrey Konovalov:
> On Tue, Aug 13, 2019 at 2:43 PM Oliver Neukum <oneukum@xxxxxxxx> wrote:
> >
> >
> > Hi,
> >
> > this looks like a false positive to me.
> > The offending code is likely this:
> >
> > if (size) {
> > buf = kmalloc(size, GFP_KERNEL);
> > if (!buf)
> > goto out;
> > }
> >
> > err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
> > cmd, reqtype, value, index, buf, size,
> > USB_CTRL_GET_TIMEOUT);
> >
> > which uses 'buf' uninitialized. But it is used for input.
> > What is happening here?
>
> AFAICS, the uninitialized use of buf that KMSAN points out is in the
> "if (buf & PMT_CTL_DEV_RDY)" statement in smsc75xx_wait_ready(). Does
> __smsc75xx_read_reg/usb_control_msg() always initialize buf? Can it
> just initialize the first few bytes for example?
>
Hi,
you are unfortunately right and this is not the only driver vulnerable
in this way. I am going through them.
Regards
Oliver