From: Oliver Neukum <oneukum@suse.com>
To: syzbot <syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com>,
gustavo@embeddedor.com, glider@google.com,
syzkaller-bugs@googlegroups.com, gregkh@linuxfoundation.org,
linux-usb@vger.kernel.org
Subject: Re: KMSAN: kernel-usb-infoleak in pcan_usb_pro_send_req
Date: Tue, 06 Aug 2019 14:45:25 +0200 [thread overview]
Message-ID: <1565095525.8136.22.camel@suse.com> (raw)
In-Reply-To: <00000000000014c877058ee2c4a6@google.com>
Am Dienstag, den 30.07.2019, 02:38 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 41550654 [UPSTREAM] KVM: x86: degrade WARN to pr_warn_rate..
> git tree: kmsan
> console output: https://syzkaller.appspot.com/x/log.txt?x=13e95183a00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=40511ad0c5945201
> dashboard link: https://syzkaller.appspot.com/bug?extid=513e4d0985298538bf9b
> compiler: clang version 9.0.0 (/home/glider/llvm/clang
> 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17eafa1ba00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b87983a00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com
#syz test: https://github.com/google/kasan.git 41550654
From 6de76fa3df8aedc7a76dc0ecdea8308e38d4dccc Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 6 Aug 2019 14:41:52 +0200
Subject: [PATCH] pcan_usb_fd: zero out the common command buffer
Lest we leak kernel memory to a device we better zero out buffers.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
index 34761c3a6286..47cc1ff5b88e 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
@@ -841,7 +841,7 @@ static int pcan_usb_fd_init(struct peak_usb_device *dev)
goto err_out;
/* allocate command buffer once for all for the interface */
- pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE,
+ pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE,
GFP_KERNEL);
if (!pdev->cmd_buffer_addr)
goto err_out_1;
--
2.16.4
next prev parent reply other threads:[~2019-08-06 12:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-30 9:38 KMSAN: kernel-usb-infoleak in pcan_usb_pro_send_req syzbot
2019-07-30 14:17 ` Alan Stern
2019-07-30 14:20 ` Andrey Konovalov
2019-07-30 14:22 ` Andrey Konovalov
2019-07-30 14:28 ` Alexander Potapenko
2019-08-06 12:45 ` Oliver Neukum [this message]
2019-08-06 12:45 ` syzbot
2019-08-06 12:49 ` Andrey Konovalov
2019-08-06 13:59 ` Alan Stern
2019-08-06 14:00 ` Andrey Konovalov
2019-08-06 13:05 ` Oliver Neukum
2019-08-06 14:44 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1565095525.8136.22.camel@suse.com \
--to=oneukum@suse.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=linux-usb@vger.kernel.org \
--cc=syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).