From: Kalle Valo <kvalo@kernel.org>
To: Pavel Skripkin <paskripkin@gmail.com>
Cc: ath9k-devel@qca.qualcomm.com, kvalo@codeaurora.org,
davem@davemloft.net, kuba@kernel.org, linville@tuxdriver.com,
vasanth@atheros.com, Sujith.Manoharan@atheros.com,
senthilkumar@atheros.com, linux-wireless@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Pavel Skripkin <paskripkin@gmail.com>,
syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com
Subject: Re: [PATCH] ath9k_htc: fix uninit value bugs
Date: Mon, 17 Jan 2022 12:57:08 +0000 (UTC) [thread overview]
Message-ID: <164242422410.16718.5618838300043178474.kvalo@kernel.org> (raw)
In-Reply-To: <20220115122733.11160-1-paskripkin@gmail.com>
Pavel Skripkin <paskripkin@gmail.com> wrote:
> Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing
> field initialization.
>
> In htc_connect_service() svc_meta_len and pad are not initialized. Based
> on code it looks like in current skb there is no service data, so simply
> initialize svc_meta_len to 0.
>
> htc_issue_send() does not initialize htc_frame_hdr::control array. Based
> on firmware code, it will initialize it by itself, so simply zero whole
> array to make KMSAN happy
>
> Fail logs:
>
> BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
> usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
> hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
> hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
> htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
> htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
> ...
>
> Uninit was created at:
> slab_post_alloc_hook mm/slab.h:524 [inline]
> slab_alloc_node mm/slub.c:3251 [inline]
> __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
> kmalloc_reserve net/core/skbuff.c:354 [inline]
> __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
> alloc_skb include/linux/skbuff.h:1126 [inline]
> htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
> ...
>
> Bytes 4-7 of 18 are uninitialized
> Memory access of size 18 starts at ffff888027377e00
>
> BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
> usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
> hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
> hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
> htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
> htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
> ...
>
> Uninit was created at:
> slab_post_alloc_hook mm/slab.h:524 [inline]
> slab_alloc_node mm/slub.c:3251 [inline]
> __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
> kmalloc_reserve net/core/skbuff.c:354 [inline]
> __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
> alloc_skb include/linux/skbuff.h:1126 [inline]
> htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
> ...
>
> Bytes 16-17 of 18 are uninitialized
> Memory access of size 18 starts at ffff888027377e00
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Reported-by: syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
How did you test this? As syzbot is mentioned I assume you did not test this on
a real device, it would help a lot if this is clearly mentioned in the commit
log. My trust on syzbot fixes is close to zero due to bad past history.
--
https://patchwork.kernel.org/project/linux-wireless/patch/20220115122733.11160-1-paskripkin@gmail.com/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2022-01-17 12:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-15 12:27 [PATCH] ath9k_htc: fix uninit value bugs Pavel Skripkin
2022-01-17 12:57 ` Kalle Valo [this message]
2022-01-17 18:35 ` Pavel Skripkin
2022-01-28 12:32 ` Kalle Valo
2022-01-28 20:52 ` Pavel Skripkin
2022-02-03 8:39 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=164242422410.16718.5618838300043178474.kvalo@kernel.org \
--to=kvalo@kernel.org \
--cc=Sujith.Manoharan@atheros.com \
--cc=ath9k-devel@qca.qualcomm.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=netdev@vger.kernel.org \
--cc=paskripkin@gmail.com \
--cc=senthilkumar@atheros.com \
--cc=syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com \
--cc=vasanth@atheros.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.