linux-kernel-mentees.lists.linuxfoundation.org archive mirror
 help / color / mirror / Atom feed
* [Linux-kernel-mentees] [PATCH] rtl8150: set memory to all 0xFFs on failed register reads
@ 2020-09-16  5:05 Anant Thazhemadam
  2020-09-16  6:19 ` Petko Manolov
  2020-09-16  6:22 ` Greg KH
  0 siblings, 2 replies; 6+ messages in thread
From: Anant Thazhemadam @ 2020-09-16  5:05 UTC (permalink / raw)
  Cc: Anant Thazhemadam, Petko Manolov, syzbot+abbc768b560c84d92fd3,
	netdev, linux-usb, linux-kernel, Jakub Kicinski,
	linux-kernel-mentees, David S. Miller

get_registers() copies whatever memory is written by the
usb_control_msg() call even if the underlying urb call ends up failing.

If get_registers() fails, or ends up reading 0 bytes, meaningless and 
junk register values would end up being copied over (and eventually read 
by the driver), and since most of the callers of get_registers() don't 
check the return values of get_registers() either, this would go unnoticed.

It might be a better idea to try and mirror the PCI master abort
termination and set memory to 0xFFs instead in such cases.

Fixes: https://syzkaller.appspot.com/bug?extid=abbc768b560c84d92fd3
Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
---
 drivers/net/usb/rtl8150.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 733f120c852b..04fca7bfcbcb 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -162,8 +162,13 @@ static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
 	ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
 			      RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
 			      indx, 0, buf, size, 500);
-	if (ret > 0 && ret <= size)
+
+	if (ret < 0)
+		memset(data, 0xff, size);
+
+	else
 		memcpy(data, buf, ret);
+
 	kfree(buf);
 	return ret;
 }
@@ -276,7 +281,7 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg)
 
 static inline void set_ethernet_addr(rtl8150_t * dev)
 {
-	u8 node_id[6];
+	u8 node_id[6] = {0};
 
 	get_registers(dev, IDR, sizeof(node_id), node_id);
 	memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
-- 
2.25.1

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Linux-kernel-mentees] [PATCH] rtl8150: set memory to all 0xFFs on failed register reads
  2020-09-16  5:05 [Linux-kernel-mentees] [PATCH] rtl8150: set memory to all 0xFFs on failed register reads Anant Thazhemadam
@ 2020-09-16  6:19 ` Petko Manolov
  2020-09-16 13:38   ` Anant Thazhemadam
  2020-09-16  6:22 ` Greg KH
  1 sibling, 1 reply; 6+ messages in thread
From: Petko Manolov @ 2020-09-16  6:19 UTC (permalink / raw)
  To: Anant Thazhemadam
  Cc: syzbot+abbc768b560c84d92fd3, netdev, linux-usb, linux-kernel,
	Jakub Kicinski, linux-kernel-mentees, David S. Miller

On 20-09-16 10:35:40, Anant Thazhemadam wrote:
> get_registers() copies whatever memory is written by the
> usb_control_msg() call even if the underlying urb call ends up failing.

Not true, memcpy() is only called if "ret" is positive.

> If get_registers() fails, or ends up reading 0 bytes, meaningless and junk 
> register values would end up being copied over (and eventually read by the 
> driver), and since most of the callers of get_registers() don't check the 
> return values of get_registers() either, this would go unnoticed.

usb_control_msg() returns negative on error (look up usb_internal_control_msg() 
to see for yourself) so it does not go unnoticed.  If for some reason it return 
zero, nothing is copied.  Also, if usb transfer fail no register values are 
being copied anywhere.

Your patch also allows for memcpy() to be called with 'size' either zero or 
greater than the allocated buffer size. Please, look at the code carefully.

> It might be a better idea to try and mirror the PCI master abort
> termination and set memory to 0xFFs instead in such cases.

I wasn't aware drivers are now responsible for filling up the memory with 
anything.  Does not sound like a good idea to me.

> Fixes: https://syzkaller.appspot.com/bug?extid=abbc768b560c84d92fd3
> Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
> Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>

Well, NACK from me.


cheers,
Petko


> ---
>  drivers/net/usb/rtl8150.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
> index 733f120c852b..04fca7bfcbcb 100644
> --- a/drivers/net/usb/rtl8150.c
> +++ b/drivers/net/usb/rtl8150.c
> @@ -162,8 +162,13 @@ static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
>  	ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
>  			      RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
>  			      indx, 0, buf, size, 500);
> -	if (ret > 0 && ret <= size)
> +
> +	if (ret < 0)
> +		memset(data, 0xff, size);
> +
> +	else
>  		memcpy(data, buf, ret);
> +
>  	kfree(buf);
>  	return ret;
>  }
> @@ -276,7 +281,7 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg)
>  
>  static inline void set_ethernet_addr(rtl8150_t * dev)
>  {
> -	u8 node_id[6];
> +	u8 node_id[6] = {0};
>  
>  	get_registers(dev, IDR, sizeof(node_id), node_id);
>  	memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
> -- 
> 2.25.1
> 
> 
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Linux-kernel-mentees] [PATCH] rtl8150: set memory to all 0xFFs on failed register reads
  2020-09-16  5:05 [Linux-kernel-mentees] [PATCH] rtl8150: set memory to all 0xFFs on failed register reads Anant Thazhemadam
  2020-09-16  6:19 ` Petko Manolov
@ 2020-09-16  6:22 ` Greg KH
  2020-09-16  6:39   ` Petko Manolov
  2020-09-16 13:40   ` Anant Thazhemadam
  1 sibling, 2 replies; 6+ messages in thread
From: Greg KH @ 2020-09-16  6:22 UTC (permalink / raw)
  To: Anant Thazhemadam
  Cc: Petko Manolov, syzbot+abbc768b560c84d92fd3, netdev, linux-usb,
	linux-kernel, Jakub Kicinski, linux-kernel-mentees,
	David S. Miller

On Wed, Sep 16, 2020 at 10:35:40AM +0530, Anant Thazhemadam wrote:
> get_registers() copies whatever memory is written by the
> usb_control_msg() call even if the underlying urb call ends up failing.
> 
> If get_registers() fails, or ends up reading 0 bytes, meaningless and 
> junk register values would end up being copied over (and eventually read 
> by the driver), and since most of the callers of get_registers() don't 
> check the return values of get_registers() either, this would go unnoticed.
> 
> It might be a better idea to try and mirror the PCI master abort
> termination and set memory to 0xFFs instead in such cases.

It would be better to use this new api call instead of
usb_control_msg():
	https://lore.kernel.org/r/20200914153756.3412156-1-gregkh@linuxfoundation.org

How about porting this patch to run on top of that series instead?  That
should make this logic much simpler.



> 
> Fixes: https://syzkaller.appspot.com/bug?extid=abbc768b560c84d92fd3
> Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
> Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
> ---
>  drivers/net/usb/rtl8150.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
> index 733f120c852b..04fca7bfcbcb 100644
> --- a/drivers/net/usb/rtl8150.c
> +++ b/drivers/net/usb/rtl8150.c
> @@ -162,8 +162,13 @@ static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
>  	ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
>  			      RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
>  			      indx, 0, buf, size, 500);
> -	if (ret > 0 && ret <= size)
> +
> +	if (ret < 0)
> +		memset(data, 0xff, size);
> +
> +	else
>  		memcpy(data, buf, ret);
> +
>  	kfree(buf);
>  	return ret;
>  }
> @@ -276,7 +281,7 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg)
>  
>  static inline void set_ethernet_addr(rtl8150_t * dev)
>  {
> -	u8 node_id[6];
> +	u8 node_id[6] = {0};

This should not be needed to be done.

thanks,

greg k-h
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Linux-kernel-mentees] [PATCH] rtl8150: set memory to all 0xFFs on failed register reads
  2020-09-16  6:22 ` Greg KH
@ 2020-09-16  6:39   ` Petko Manolov
  2020-09-16 13:40   ` Anant Thazhemadam
  1 sibling, 0 replies; 6+ messages in thread
From: Petko Manolov @ 2020-09-16  6:39 UTC (permalink / raw)
  To: Greg KH
  Cc: Anant Thazhemadam, syzbot+abbc768b560c84d92fd3, netdev,
	linux-usb, linux-kernel, Jakub Kicinski, linux-kernel-mentees,
	David S. Miller

On 20-09-16 08:22:27, Greg KH wrote:
> On Wed, Sep 16, 2020 at 10:35:40AM +0530, Anant Thazhemadam wrote:
> > get_registers() copies whatever memory is written by the
> > usb_control_msg() call even if the underlying urb call ends up failing.
> > 
> > If get_registers() fails, or ends up reading 0 bytes, meaningless and 
> > junk register values would end up being copied over (and eventually read 
> > by the driver), and since most of the callers of get_registers() don't 
> > check the return values of get_registers() either, this would go unnoticed.
> > 
> > It might be a better idea to try and mirror the PCI master abort
> > termination and set memory to 0xFFs instead in such cases.
> 
> It would be better to use this new api call instead of
> usb_control_msg():
> 	https://lore.kernel.org/r/20200914153756.3412156-1-gregkh@linuxfoundation.org

Heh, wasn't aware of the new api.

> How about porting this patch to run on top of that series instead?  That 
> should make this logic much simpler.

I'll need to check if in this case 'size' is the right amount of bytes expected 
and not an upper limit.  Then i'll convert it to the new api.


cheers,
Petko


> > Fixes: https://syzkaller.appspot.com/bug?extid=abbc768b560c84d92fd3
> > Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
> > Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
> > Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
> > ---
> >  drivers/net/usb/rtl8150.c | 9 +++++++--
> >  1 file changed, 7 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
> > index 733f120c852b..04fca7bfcbcb 100644
> > --- a/drivers/net/usb/rtl8150.c
> > +++ b/drivers/net/usb/rtl8150.c
> > @@ -162,8 +162,13 @@ static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
> >  	ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
> >  			      RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
> >  			      indx, 0, buf, size, 500);
> > -	if (ret > 0 && ret <= size)
> > +
> > +	if (ret < 0)
> > +		memset(data, 0xff, size);
> > +
> > +	else
> >  		memcpy(data, buf, ret);
> > +
> >  	kfree(buf);
> >  	return ret;
> >  }
> > @@ -276,7 +281,7 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg)
> >  
> >  static inline void set_ethernet_addr(rtl8150_t * dev)
> >  {
> > -	u8 node_id[6];
> > +	u8 node_id[6] = {0};
> 
> This should not be needed to be done.
> 
> thanks,
> 
> greg k-h
> 
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Linux-kernel-mentees] [PATCH] rtl8150: set memory to all 0xFFs on failed register reads
  2020-09-16  6:19 ` Petko Manolov
@ 2020-09-16 13:38   ` Anant Thazhemadam
  0 siblings, 0 replies; 6+ messages in thread
From: Anant Thazhemadam @ 2020-09-16 13:38 UTC (permalink / raw)
  To: Petko Manolov
  Cc: syzbot+abbc768b560c84d92fd3, netdev, linux-usb, linux-kernel,
	Jakub Kicinski, linux-kernel-mentees, David S. Miller


On 16/09/20 11:49 am, Petko Manolov wrote:
> On 20-09-16 10:35:40, Anant Thazhemadam wrote:
>> get_registers() copies whatever memory is written by the
>> usb_control_msg() call even if the underlying urb call ends up failing.
> Not true, memcpy() is only called if "ret" is positive.
Right. I'm really sorry I fumbled and messed up the commit message
there. Thank you for pointing that out.
>> If get_registers() fails, or ends up reading 0 bytes, meaningless and junk 
>> register values would end up being copied over (and eventually read by the 
>> driver), and since most of the callers of get_registers() don't check the 
>> return values of get_registers() either, this would go unnoticed.
> usb_control_msg() returns negative on error (look up usb_internal_control_msg() 
> to see for yourself) so it does not go unnoticed.

When I said "this would go unnoticed", I meant get_register() failing would
go unnoticed, not that usb_control_msg() failing would go unnoticed.
I agree that get_registers() notices usb_control_msg() failing, and
appropriately returns the return value from usb_control_msg().
But there are many instances where get_registers() is called but the return
value of get_registers() is not checked, to see if it failed or not; hence, "this
would go unnoticed".

> If for some reason it return zero, nothing is copied.  Also, if usb transfer fail 
> no register values are being copied anywhere.

True.
Now consider set_ethernet_addr(), and suppose get_register() fails when
invoked from inside set_ethernet_addr().
As you said, no value is copied back, which means no value is copied back
into node_id, which leaves node_id uninitialized. This node_id (still
uninitialized) is then blindly copied into dev->netdev->dev_addr; which
is less than ideal and could also quickly prove to become an issue, right?

> Your patch also allows for memcpy() to be called with 'size' either zero or 
> greater than the allocated buffer size. Please, look at the code carefully.
Oh. I apologize for this. This can be reverted relatively easily.
>> It might be a better idea to try and mirror the PCI master abort
>> termination and set memory to 0xFFs instead in such cases.
> I wasn't aware drivers are now responsible for filling up the memory with 
> anything.  Does not sound like a good idea to me.
Since we copy the correct register values when get_register() doesn't fail,
I thought it might be a slightly better alternative to fill node_id with 0xFFs,
instead of leaving it go uninitialized in case get_registers() fails.

Also, what are the odds that a successful get_register() call would see
0xFFs being copied?
If that's very real scenario, then I admit this doesn't work at all.

The only other alternative approach I can think of that can handle the
issue I highlighted above, is to introduce checking for get_registers()'s
return values nearly everywhere it gets called.
Would that be a more preferable and welcome approach?

Thank you for your time.

Thanks,
Anant


_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Linux-kernel-mentees] [PATCH] rtl8150: set memory to all 0xFFs on failed register reads
  2020-09-16  6:22 ` Greg KH
  2020-09-16  6:39   ` Petko Manolov
@ 2020-09-16 13:40   ` Anant Thazhemadam
  1 sibling, 0 replies; 6+ messages in thread
From: Anant Thazhemadam @ 2020-09-16 13:40 UTC (permalink / raw)
  To: Greg KH
  Cc: Petko Manolov, syzbot+abbc768b560c84d92fd3, netdev, linux-usb,
	linux-kernel, Jakub Kicinski, linux-kernel-mentees,
	David S. Miller


On 16/09/20 11:52 am, Greg KH wrote:
> On Wed, Sep 16, 2020 at 10:35:40AM +0530, Anant Thazhemadam wrote:
>> get_registers() copies whatever memory is written by the
>> usb_control_msg() call even if the underlying urb call ends up failing.
>>
>> If get_registers() fails, or ends up reading 0 bytes, meaningless and 
>> junk register values would end up being copied over (and eventually read 
>> by the driver), and since most of the callers of get_registers() don't 
>> check the return values of get_registers() either, this would go unnoticed.
>>
>> It might be a better idea to try and mirror the PCI master abort
>> termination and set memory to 0xFFs instead in such cases.
> It would be better to use this new api call instead of
> usb_control_msg():
> 	https://lore.kernel.org/r/20200914153756.3412156-1-gregkh@linuxfoundation.org
>
> How about porting this patch to run on top of that series instead?  That
> should make this logic much simpler.
This looks viable to me. I'll be sure to try this out.
>> Fixes: https://syzkaller.appspot.com/bug?extid=abbc768b560c84d92fd3
>> Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
>> Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
>> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
>> ---
>>  drivers/net/usb/rtl8150.c | 9 +++++++--
>>  1 file changed, 7 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
>> index 733f120c852b..04fca7bfcbcb 100644
>> --- a/drivers/net/usb/rtl8150.c
>> +++ b/drivers/net/usb/rtl8150.c
>> @@ -162,8 +162,13 @@ static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
>>  	ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
>>  			      RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
>>  			      indx, 0, buf, size, 500);
>> -	if (ret > 0 && ret <= size)
>> +
>> +	if (ret < 0)
>> +		memset(data, 0xff, size);
>> +
>> +	else
>>  		memcpy(data, buf, ret);
>> +
>>  	kfree(buf);
>>  	return ret;
>>  }
>> @@ -276,7 +281,7 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg)
>>  
>>  static inline void set_ethernet_addr(rtl8150_t * dev)
>>  {
>> -	u8 node_id[6];
>> +	u8 node_id[6] = {0};
> This should not be needed to be done.

Noted.

Thank you for your time.

Thanks,
Anant

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-09-16 13:41 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-16  5:05 [Linux-kernel-mentees] [PATCH] rtl8150: set memory to all 0xFFs on failed register reads Anant Thazhemadam
2020-09-16  6:19 ` Petko Manolov
2020-09-16 13:38   ` Anant Thazhemadam
2020-09-16  6:22 ` Greg KH
2020-09-16  6:39   ` Petko Manolov
2020-09-16 13:40   ` Anant Thazhemadam

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).