Re: KMSAN: uninit-value in cdc_ncm_set_dgram_size

From: "Bjørn Mork" <bjorn@mork.no>
To: Oliver Neukum <oneukum@suse.com>
Cc: syzbot <syzbot+0631d878823ce2411636@syzkaller.appspotmail.com>,
	davem@davemloft.net, glider@google.com,
	linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
	netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: KMSAN: uninit-value in cdc_ncm_set_dgram_size
Date: Tue, 05 Nov 2019 13:25:05 +0100	[thread overview]
Message-ID: <875zjy33z2.fsf@miraculix.mork.no> (raw)
In-Reply-To: <1572952516.2921.6.camel@suse.com> (Oliver Neukum's message of "Tue, 05 Nov 2019 12:15:16 +0100")

Oliver Neukum <oneukum@suse.com> writes:
> Am Montag, den 04.11.2019, 22:22 +0100 schrieb Bjørn Mork:
>> This looks like a false positive to me. max_datagram_size is two bytes
>> declared as
>> 
>>         __le16 max_datagram_size;
>> 
>> and the code leading up to the access on drivers/net/usb/cdc_ncm.c:587
>> is:
>> 
>>         /* read current mtu value from device */
>>         err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
>>                               USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
>>                               0, iface_no, &max_datagram_size, 2);
>
> At this point err can be 1.
>
>>         if (err < 0) {
>>                 dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
>>                 goto out;
>>         }
>> 
>>         if (le16_to_cpu(max_datagram_size) == ctx->max_datagram_size)
>> 
>> 
>> 
>> AFAICS, there is no way max_datagram_size can be uninitialized here.
>> usbnet_read_cmd() either read 2 bytes into it or returned an error,
>
> No. usbnet_read_cmd() will return the number of bytes transfered up
> to the number requested or an error.

Ah, OK. So that could be fixed with e.g.

  if (err < 2)
       goto out;


Or would it be better to add a strict length checking variant of this
API?  There are probably lots of similar cases where we expect a
multibyte value and a short read is (or should be) considered an error.
I can't imagine any situation where we want a 2, 4, 6 or 8 byte value
and expect a flexible length returned.

>> causing the access to be skipped.  Or am I missing something?
>
> Yes. You can get half the MTU. We have a similar class of bugs
> with MAC addresses.

Right.  And probably all 16 or 32 bit integer reads...

Looking at the NCM spec, I see that the wording is annoyingly flexible
wrt length - both ways.  E.g for GetNetAddress:

  To get the entire network address, the host should set wLength to at
  least 6. The function shall never return more than 6 bytes in response
  to this command.

Maybe the correct fix is simply to let usbnet_read_cmd() initialize the
full buffer regardless of what the device returns?  I.e.

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index dde05e2fdc3e..df3efafca450 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1982,7 +1982,7 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
                   cmd, reqtype, value, index, size);
 
        if (size) {
-               buf = kmalloc(size, GFP_KERNEL);
+               buf = kzalloc(size, GFP_KERNEL);
                if (!buf)
                        goto out;
        }
@@ -1992,7 +1992,7 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
                              USB_CTRL_GET_TIMEOUT);
        if (err > 0 && err <= size) {
         if (data)
-            memcpy(data, buf, err);
+            memcpy(data, buf, size);
         else
             netdev_dbg(dev->net,
                 "Huh? Data requested but thrown away.\n");




What do you think?

Personally, I don't think it makes sense for a device to return a 1-byte
mtu or 3-byte mac address. But the spec allows it and this would at
least make it safe.

We have a couple of similar bugs elsewhere in the same driver, BTW..


Bjørn
