From: Pavel Skripkin paskripkin@gmail.com
mainline inclusion from mainline-v5.16-rc7 commit 8035b1a2a37a29d8c717ef84fca8fe7278bc9f03 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95RDW CVE: CVE-2021-47101
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized.
Fail log: BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter") Reported-and-tested-by: syzbot+f44badb06036334e867a@syzkaller.appspotmail.com Reviewed-by: Andrew Lunn andrew@lunn.ch Signed-off-by: Pavel Skripkin paskripkin@gmail.com Link: https://lore.kernel.org/r/8966e3b514edf39857dd93603fc79ec02e000a75.164011728... Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Cheng Yu serein.chengyu@huawei.com --- drivers/net/usb/asix_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c index 1787cb3c4097..255ba129baee 100644 --- a/drivers/net/usb/asix_common.c +++ b/drivers/net/usb/asix_common.c @@ -89,7 +89,7 @@ static int asix_check_host_enable(struct usbnet *dev, int in_pm) 0, 0, 1, &smsr, in_pm); if (ret == -ENODEV) break; - else if (ret < 0) + else if (ret < sizeof(smsr)) continue; else if (smsr & AX_HOST_EN) break;