On 20-09-29 13:50:28, Anant Thazhemadam wrote:
> When get_registers() fails (which happens when usb_control_msg() fails)
> in set_ethernet_addr(), the uninitialized value of node_id gets copied
> as the address.
>
> Checking for the return values appropriately, and handling the case
> wherein set_ethernet_addr() fails like this, helps in avoiding the
> mac address being incorrectly set in this manner.
>
> Reported-by: syzbot+abbc768b560c84d92fd3@xxxxxxxxxxxxxxxxxxxxxxxxx
> Tested-by: syzbot+abbc768b560c84d92fd3@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@xxxxxxxxx>
> ---
> drivers/net/usb/rtl8150.c | 24 ++++++++++++++++--------
> 1 file changed, 16 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
> index 733f120c852b..e542a9ab2ff8 100644
> --- a/drivers/net/usb/rtl8150.c
> +++ b/drivers/net/usb/rtl8150.c
> @@ -150,7 +150,7 @@ static const char driver_name [] = "rtl8150";
> ** device related part of the code
> **
> */
> -static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
> +static int get_registers(rtl8150_t *dev, u16 indx, u16 size, void *data)
> {
> void *buf;
> int ret;
> @@ -274,12 +274,17 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg)
> return 1;
> }
>
> -static inline void set_ethernet_addr(rtl8150_t * dev)
> +static bool set_ethernet_addr(rtl8150_t *dev)
> {
> u8 node_id[6];
> + int ret;
>
> - get_registers(dev, IDR, sizeof(node_id), node_id);
> - memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
> + ret = get_registers(dev, IDR, sizeof(node_id), node_id);
> + if (ret > 0 && ret <= sizeof(node_id)) {
get_registers() was recently modified to use usb_control_msg_recv() which does
not return partial reads. IOW you'll either get negative value or
sizeof(node_id). Since it is good to be paranoid i'd convert the above check
to:
if (ret == sizeof(node_id)) {
and fail in any other case. Apart from this minor detail the rest of the patch
looks good to me.
Acked-by: Petko Manolov
