* KMSAN: uninit-value in smsc75xx_bind @ 2019-08-09 8:48 syzbot 2019-08-13 12:43 ` Oliver Neukum 0 siblings, 1 reply; 4+ messages in thread From: syzbot @ 2019-08-09 8:48 UTC (permalink / raw) To: davem, glider, linux-kernel, linux-usb, netdev, steve.glendinning, syzkaller-bugs Hello, syzbot found the following crash on: HEAD commit: beaab8a3 fix KASAN build git tree: kmsan console output: https://syzkaller.appspot.com/x/log.txt?x=13d7b65c600000 kernel config: https://syzkaller.appspot.com/x/.config?x=4db781fe35a84ef5 dashboard link: https://syzkaller.appspot.com/bug?extid=6966546b78d050bb0b5d compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14ab9ef0600000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11be2b34600000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6966546b78d050bb0b5d@syzkaller.appspotmail.com ================================================================== BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:976 [inline] BUG: KMSAN: uninit-value in smsc75xx_bind+0x541/0x12d0 drivers/net/usb/smsc75xx.c:1483 CPU: 0 PID: 2892 Comm: kworker/0:2 Not tainted 5.2.0+ #15 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109 __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294 smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:976 [inline] smsc75xx_bind+0x541/0x12d0 drivers/net/usb/smsc75xx.c:1483 usbnet_probe+0x10d3/0x3950 drivers/net/usb/usbnet.c:1722 usb_probe_interface+0xd19/0x1310 drivers/usb/core/driver.c:361 really_probe+0x1344/0x1d90 drivers/base/dd.c:513 driver_probe_device+0x1ba/0x510 drivers/base/dd.c:670 __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:777 bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454 __device_attach+0x489/0x750 drivers/base/dd.c:843 device_initial_probe+0x4a/0x60 drivers/base/dd.c:890 bus_probe_device+0x131/0x390 drivers/base/bus.c:514 device_add+0x25b5/0x2df0 drivers/base/core.c:2111 usb_set_configuration+0x309f/0x3710 drivers/usb/core/message.c:2027 generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210 usb_probe_device+0x146/0x200 drivers/usb/core/driver.c:266 really_probe+0x1344/0x1d90 drivers/base/dd.c:513 driver_probe_device+0x1ba/0x510 drivers/base/dd.c:670 __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:777 bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454 __device_attach+0x489/0x750 drivers/base/dd.c:843 device_initial_probe+0x4a/0x60 drivers/base/dd.c:890 bus_probe_device+0x131/0x390 drivers/base/bus.c:514 device_add+0x25b5/0x2df0 drivers/base/core.c:2111 usb_new_device+0x23e5/0x2fb0 drivers/usb/core/hub.c:2534 hub_port_connect drivers/usb/core/hub.c:5089 [inline] hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] port_event drivers/usb/core/hub.c:5350 [inline] hub_event+0x5853/0x7320 drivers/usb/core/hub.c:5432 process_one_work+0x1572/0x1f00 kernel/workqueue.c:2269 process_scheduled_works kernel/workqueue.c:2331 [inline] worker_thread+0x189c/0x2460 kernel/workqueue.c:2417 kthread+0x4b5/0x4f0 kernel/kthread.c:256 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 Local variable description: ----buf.i93@smsc75xx_bind Variable was created at: __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:969 [inline] smsc75xx_bind+0x44c/0x12d0 drivers/net/usb/smsc75xx.c:1483 usbnet_probe+0x10d3/0x3950 drivers/net/usb/usbnet.c:1722 ================================================================== --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KMSAN: uninit-value in smsc75xx_bind 2019-08-09 8:48 KMSAN: uninit-value in smsc75xx_bind syzbot @ 2019-08-13 12:43 ` Oliver Neukum 2019-08-13 15:08 ` Andrey Konovalov 0 siblings, 1 reply; 4+ messages in thread From: Oliver Neukum @ 2019-08-13 12:43 UTC (permalink / raw) To: syzbot, davem, glider, syzkaller-bugs, steve.glendinning, linux-kernel, linux-usb, netdev Am Freitag, den 09.08.2019, 01:48 -0700 schrieb syzbot: > Hello, > > syzbot found the following crash on: > > HEAD commit: beaab8a3 fix KASAN build > git tree: kmsan [..] > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109 > __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294 > smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:976 [inline] > smsc75xx_bind+0x541/0x12d0 drivers/net/usb/smsc75xx.c:1483 > > Local variable description: ----buf.i93@smsc75xx_bind > Variable was created at: > __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] > smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:969 [inline] > smsc75xx_bind+0x44c/0x12d0 drivers/net/usb/smsc75xx.c:1483 > usbnet_probe+0x10d3/0x3950 drivers/net/usb/usbnet.c:1722 Hi, this looks like a false positive to me. The offending code is likely this: if (size) { buf = kmalloc(size, GFP_KERNEL); if (!buf) goto out; } err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0), cmd, reqtype, value, index, buf, size, USB_CTRL_GET_TIMEOUT); which uses 'buf' uninitialized. But it is used for input. What is happening here? Regards Oliver ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KMSAN: uninit-value in smsc75xx_bind 2019-08-13 12:43 ` Oliver Neukum @ 2019-08-13 15:08 ` Andrey Konovalov 2019-08-14 10:16 ` Oliver Neukum 0 siblings, 1 reply; 4+ messages in thread From: Andrey Konovalov @ 2019-08-13 15:08 UTC (permalink / raw) To: Oliver Neukum Cc: syzbot, David S. Miller, Alexander Potapenko, syzkaller-bugs, steve.glendinning, LKML, USB list, netdev On Tue, Aug 13, 2019 at 2:43 PM Oliver Neukum <oneukum@suse.com> wrote: > > Am Freitag, den 09.08.2019, 01:48 -0700 schrieb syzbot: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: beaab8a3 fix KASAN build > > git tree: kmsan > > [..] > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > > kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109 > > __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294 > > smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:976 [inline] > > smsc75xx_bind+0x541/0x12d0 drivers/net/usb/smsc75xx.c:1483 > > > > > Local variable description: ----buf.i93@smsc75xx_bind > > Variable was created at: > > __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] > > smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:969 [inline] > > smsc75xx_bind+0x44c/0x12d0 drivers/net/usb/smsc75xx.c:1483 > > usbnet_probe+0x10d3/0x3950 drivers/net/usb/usbnet.c:1722 > > Hi, > > this looks like a false positive to me. > The offending code is likely this: > > if (size) { > buf = kmalloc(size, GFP_KERNEL); > if (!buf) > goto out; > } > > err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0), > cmd, reqtype, value, index, buf, size, > USB_CTRL_GET_TIMEOUT); > > which uses 'buf' uninitialized. But it is used for input. > What is happening here? AFAICS, the uninitialized use of buf that KMSAN points out is in the "if (buf & PMT_CTL_DEV_RDY)" statement in smsc75xx_wait_ready(). Does __smsc75xx_read_reg/usb_control_msg() always initialize buf? Can it just initialize the first few bytes for example? ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KMSAN: uninit-value in smsc75xx_bind 2019-08-13 15:08 ` Andrey Konovalov @ 2019-08-14 10:16 ` Oliver Neukum 0 siblings, 0 replies; 4+ messages in thread From: Oliver Neukum @ 2019-08-14 10:16 UTC (permalink / raw) To: Andrey Konovalov Cc: David S. Miller, Alexander Potapenko, syzkaller-bugs, steve.glendinning, syzbot, LKML, USB list, netdev Am Dienstag, den 13.08.2019, 17:08 +0200 schrieb Andrey Konovalov: > On Tue, Aug 13, 2019 at 2:43 PM Oliver Neukum <oneukum@suse.com> wrote: > > > > > > Hi, > > > > this looks like a false positive to me. > > The offending code is likely this: > > > > if (size) { > > buf = kmalloc(size, GFP_KERNEL); > > if (!buf) > > goto out; > > } > > > > err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0), > > cmd, reqtype, value, index, buf, size, > > USB_CTRL_GET_TIMEOUT); > > > > which uses 'buf' uninitialized. But it is used for input. > > What is happening here? > > AFAICS, the uninitialized use of buf that KMSAN points out is in the > "if (buf & PMT_CTL_DEV_RDY)" statement in smsc75xx_wait_ready(). Does > __smsc75xx_read_reg/usb_control_msg() always initialize buf? Can it > just initialize the first few bytes for example? > Hi, you are unfortunately right and this is not the only driver vulnerable in this way. I am going through them. Regards Oliver ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-08-14 10:16 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-08-09 8:48 KMSAN: uninit-value in smsc75xx_bind syzbot 2019-08-13 12:43 ` Oliver Neukum 2019-08-13 15:08 ` Andrey Konovalov 2019-08-14 10:16 ` Oliver Neukum
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).