From: Anant Thazhemadam <anant.thazhemadam@gmail.com> To: unlisted-recipients:; (no To-header on input) Cc: linux-kernel-mentees@lists.linuxfoundation.org, Anant Thazhemadam <anant.thazhemadam@gmail.com>, syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com, Petko Manolov <petkan@nucleusys.com>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, linux-usb@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [Linux-kernel-mentees][PATCH v2] net: usb: rtl8150: prevent set_ethernet_addr from setting uninit address Date: Thu, 1 Oct 2020 13:02:20 +0530 [thread overview] Message-ID: <20201001073221.239618-1-anant.thazhemadam@gmail.com> (raw) When get_registers() fails (which happens when usb_control_msg() fails) in set_ethernet_addr(), the uninitialized value of node_id gets copied as the address. Checking for the return values appropriately, and handling the case wherein set_ethernet_addr() fails like this, helps in avoiding the mac address being incorrectly set in this manner. Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> Acked-by: Petko Manolov <petkan@nucleusys.com> --- Changes in v2: * Modified condition checking get_registers()'s return value to ret == sizeof(node_id) for stricter checking in compliance with the new usb_control_msg_recv() API * Added Acked-by: Petko Manolov Since Petko didn't explicitly mention an email-id in his Ack, I put the email-id present in the MAINTAINERS file. I hope that's not an issue. drivers/net/usb/rtl8150.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c index 733f120c852b..e542a9ab2ff8 100644 --- a/drivers/net/usb/rtl8150.c +++ b/drivers/net/usb/rtl8150.c @@ -150,7 +150,7 @@ static const char driver_name [] = "rtl8150"; ** device related part of the code ** */ -static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data) +static int get_registers(rtl8150_t *dev, u16 indx, u16 size, void *data) { void *buf; int ret; @@ -274,12 +274,17 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg) return 1; } -static inline void set_ethernet_addr(rtl8150_t * dev) +static bool set_ethernet_addr(rtl8150_t *dev) { u8 node_id[6]; + int ret; - get_registers(dev, IDR, sizeof(node_id), node_id); - memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id)); + ret = get_registers(dev, IDR, sizeof(node_id), node_id); + if (ret == sizeof(node_id)) { + memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id)); + return true; + } + return false; } static int rtl8150_set_mac_address(struct net_device *netdev, void *p) @@ -909,21 +914,24 @@ static int rtl8150_probe(struct usb_interface *intf, goto out1; } fill_skb_pool(dev); - set_ethernet_addr(dev); - + if (!set_ethernet_addr(dev)) { + dev_err(&intf->dev, "couldn't set the ethernet address for the device\n"); + goto out2; + } usb_set_intfdata(intf, dev); SET_NETDEV_DEV(netdev, &intf->dev); if (register_netdev(netdev) != 0) { dev_err(&intf->dev, "couldn't register the device\n"); - goto out2; + goto out3; } dev_info(&intf->dev, "%s: rtl8150 is detected\n", netdev->name); return 0; -out2: +out3: usb_set_intfdata(intf, NULL); +out2: free_skb_pool(dev); out1: free_all_urbs(dev); -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Anant Thazhemadam <anant.thazhemadam@gmail.com> Cc: Anant Thazhemadam <anant.thazhemadam@gmail.com>, Petko Manolov <petkan@nucleusys.com>, syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com, netdev@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Jakub Kicinski <kuba@kernel.org>, linux-kernel-mentees@lists.linuxfoundation.org, "David S. Miller" <davem@davemloft.net> Subject: [Linux-kernel-mentees] [PATCH v2] net: usb: rtl8150: prevent set_ethernet_addr from setting uninit address Date: Thu, 1 Oct 2020 13:02:20 +0530 [thread overview] Message-ID: <20201001073221.239618-1-anant.thazhemadam@gmail.com> (raw) When get_registers() fails (which happens when usb_control_msg() fails) in set_ethernet_addr(), the uninitialized value of node_id gets copied as the address. Checking for the return values appropriately, and handling the case wherein set_ethernet_addr() fails like this, helps in avoiding the mac address being incorrectly set in this manner. Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> Acked-by: Petko Manolov <petkan@nucleusys.com> --- Changes in v2: * Modified condition checking get_registers()'s return value to ret == sizeof(node_id) for stricter checking in compliance with the new usb_control_msg_recv() API * Added Acked-by: Petko Manolov Since Petko didn't explicitly mention an email-id in his Ack, I put the email-id present in the MAINTAINERS file. I hope that's not an issue. drivers/net/usb/rtl8150.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c index 733f120c852b..e542a9ab2ff8 100644 --- a/drivers/net/usb/rtl8150.c +++ b/drivers/net/usb/rtl8150.c @@ -150,7 +150,7 @@ static const char driver_name [] = "rtl8150"; ** device related part of the code ** */ -static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data) +static int get_registers(rtl8150_t *dev, u16 indx, u16 size, void *data) { void *buf; int ret; @@ -274,12 +274,17 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg) return 1; } -static inline void set_ethernet_addr(rtl8150_t * dev) +static bool set_ethernet_addr(rtl8150_t *dev) { u8 node_id[6]; + int ret; - get_registers(dev, IDR, sizeof(node_id), node_id); - memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id)); + ret = get_registers(dev, IDR, sizeof(node_id), node_id); + if (ret == sizeof(node_id)) { + memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id)); + return true; + } + return false; } static int rtl8150_set_mac_address(struct net_device *netdev, void *p) @@ -909,21 +914,24 @@ static int rtl8150_probe(struct usb_interface *intf, goto out1; } fill_skb_pool(dev); - set_ethernet_addr(dev); - + if (!set_ethernet_addr(dev)) { + dev_err(&intf->dev, "couldn't set the ethernet address for the device\n"); + goto out2; + } usb_set_intfdata(intf, dev); SET_NETDEV_DEV(netdev, &intf->dev); if (register_netdev(netdev) != 0) { dev_err(&intf->dev, "couldn't register the device\n"); - goto out2; + goto out3; } dev_info(&intf->dev, "%s: rtl8150 is detected\n", netdev->name); return 0; -out2: +out3: usb_set_intfdata(intf, NULL); +out2: free_skb_pool(dev); out1: free_all_urbs(dev); -- 2.25.1 _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next reply other threads:[~2020-10-01 7:33 UTC|newest] Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-10-01 7:32 Anant Thazhemadam [this message] 2020-10-01 7:32 ` [Linux-kernel-mentees] [PATCH v2] net: usb: rtl8150: prevent set_ethernet_addr from setting uninit address Anant Thazhemadam 2020-10-02 2:15 ` [Linux-kernel-mentees][PATCH " David Miller 2020-10-02 2:15 ` [Linux-kernel-mentees] [PATCH " David Miller 2020-10-02 11:34 ` Anant Thazhemadam 2020-10-02 11:34 ` [Linux-kernel-mentees] " Anant Thazhemadam 2020-10-02 11:54 ` Greg KH 2020-10-02 11:54 ` [Linux-kernel-mentees] " Greg KH 2020-10-02 12:05 ` Anant Thazhemadam 2020-10-02 12:05 ` [Linux-kernel-mentees] " Anant Thazhemadam 2020-10-02 14:29 ` Petko Manolov 2020-10-02 14:29 ` [Linux-kernel-mentees] " Petko Manolov 2020-10-03 5:51 ` Anant Thazhemadam 2020-10-03 5:51 ` [Linux-kernel-mentees] " Anant Thazhemadam 2020-10-02 22:38 ` David Miller 2020-10-02 22:38 ` [Linux-kernel-mentees] " David Miller 2020-10-03 5:54 ` Anant Thazhemadam 2020-10-03 5:54 ` [Linux-kernel-mentees] " Anant Thazhemadam 2020-10-03 19:38 ` [Linux-kernel-mentees][PATCH " Joe Perches 2020-10-03 19:38 ` [Linux-kernel-mentees] [PATCH " Joe Perches 2020-10-03 20:58 ` Anant Thazhemadam 2020-10-03 20:58 ` [Linux-kernel-mentees] " Anant Thazhemadam
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20201001073221.239618-1-anant.thazhemadam@gmail.com \ --to=anant.thazhemadam@gmail.com \ --cc=davem@davemloft.net \ --cc=kuba@kernel.org \ --cc=linux-kernel-mentees@lists.linuxfoundation.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-usb@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=petkan@nucleusys.com \ --cc=syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.