On Thu, Jan 6, 2022 at 5:57 PM Pavel Skripkin <paskripkin@xxxxxxxxx> wrote: > > Syzbot reported uninit value in mcs7830_bind(). The problem was in > missing validation check for bytes read via usbnet_read_cmd(). > > usbnet_read_cmd() internally calls usb_control_msg(), that returns > number of bytes read. Code should validate that requested number of bytes > was actually read. > > So, this patch adds missing size validation check inside > mcs7830_get_reg() to prevent uninit value bugs > > CC: Arnd Bergmann <arnd@xxxxxxxx> > Reported-and-tested-by: syzbot+003c0a286b9af5412510@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 2a36d7083438 ("USB: driver for mcs7830 (aka DeLOCK) USB ethernet adapter") Looks good to me. Reviewed-by: Arnd Bergmann <arnd@xxxxxxxx> > Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx> > --- > > @Arnd, I am not sure about mcs7830_get_rev() function. > > Is get_reg(22, 2) == 1 valid read? If so, I think, we should call > usbnet_read_cmd() directly here, since other callers care only about > negative error values. I have no idea, I never had a datasheet for this device, only the hardware I bought cheaply and vendor source code I found somewhere on the net, and that was 16 years ago. I would not expect the hardware to ever return less data than was asked for, so any length checking would only have to account for attackers that fake this device. Arnd