On Thu, Jan 6, 2022 at 5:57 PM Pavel Skripkin <paskripkin@xxxxxxxxx> wrote:
>
> Syzbot reported uninit value in mcs7830_bind(). The problem was in
> missing validation check for bytes read via usbnet_read_cmd().
>
> usbnet_read_cmd() internally calls usb_control_msg(), that returns
> number of bytes read. Code should validate that requested number of bytes
> was actually read.
>
> So, this patch adds missing size validation check inside
> mcs7830_get_reg() to prevent uninit value bugs
>
> CC: Arnd Bergmann <arnd@xxxxxxxx>
> Reported-and-tested-by: syzbot+003c0a286b9af5412510@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 2a36d7083438 ("USB: driver for mcs7830 (aka DeLOCK) USB ethernet adapter")
Looks good to me.
Reviewed-by: Arnd Bergmann <arnd@xxxxxxxx>
> Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
> ---
>
> @Arnd, I am not sure about mcs7830_get_rev() function.
>
> Is get_reg(22, 2) == 1 valid read? If so, I think, we should call
> usbnet_read_cmd() directly here, since other callers care only about
> negative error values.
I have no idea, I never had a datasheet for this device, only
the hardware I bought cheaply and vendor source code I
found somewhere on the net, and that was 16 years ago.
I would not expect the hardware to ever return less data than
was asked for, so any length checking would only have to
account for attackers that fake this device.
Arnd
