cve/published/2023/CVE-2023-52528.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52528: net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg

 syzbot reported the following uninit-value access issue:

 =====================================================
 BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]
 BUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482
 CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 Workqueue: usb_hub_wq hub_event
 Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x21c/0x280 lib/dump_stack.c:118
  kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
  __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
  smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]
  smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482
  usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737
  usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374
  really_probe+0xf20/0x20b0 drivers/base/dd.c:529
  driver_probe_device+0x293/0x390 drivers/base/dd.c:701
  __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
  bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
  __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
  device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
  bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
  device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
  usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032
  usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241
  usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272
  really_probe+0xf20/0x20b0 drivers/base/dd.c:529
  driver_probe_device+0x293/0x390 drivers/base/dd.c:701
  __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
  bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
  __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
  device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
  bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
  device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
  usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554
  hub_port_connect drivers/usb/core/hub.c:5208 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]
  port_event drivers/usb/core/hub.c:5494 [inline]
  hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576
  process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
  worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
  kthread+0x551/0x590 kernel/kthread.c:292
  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

 Local variable ----buf.i87@smsc75xx_bind created at:
  __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
  smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]
  smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482
  __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
  smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]
  smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482

 This issue is caused because usbnet_read_cmd() reads less bytes than requested
 (zero byte in the reproducer). In this case, 'buf' is not properly filled.

 This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads
 less bytes than requested.

 The Linux kernel CVE team has assigned CVE-2023-52528 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 4.14.327 with commit 3e0af6eec1789fd11934164a7f4dbcad979855a4
 	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 4.19.296 with commit 2a36d9e2995c8c3c3f179aab1215a69cff06cbed
 	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 5.4.258 with commit 310f1c92f65ad905b7e81fe14de82d979ebbd825
 	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 5.10.198 with commit 30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5
 	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 5.15.135 with commit cda10784a176d7192f08ecb518f777a4e9575812
 	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 6.1.57 with commit 9ffc5018020fe646795a8dc1203224b8f776dc09
 	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 6.5.7 with commit 4931e80da9463b03bfe42be54a9a19f213b0f76d
 	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 6.6 with commit e9c65989920f7c28775ec4e0c11b483910fb67b8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52528
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/usb/smsc75xx.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4
 	https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed
 	https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825
 	https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5
 	https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812
 	https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09
 	https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f213b0f76d
 	https://git.kernel.org/stable/c/e9c65989920f7c28775ec4e0c11b483910fb67b8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52528: net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg

	syzbot reported the following uninit-value access issue:

	=====================================================
	BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]
	BUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482
	CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	Workqueue: usb_hub_wq hub_event
	Call Trace:
	__dump_stack lib/dump_stack.c:77 [inline]
	dump_stack+0x21c/0x280 lib/dump_stack.c:118
	kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
	__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
	smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]
	smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482
	usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737
	usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374
	really_probe+0xf20/0x20b0 drivers/base/dd.c:529
	driver_probe_device+0x293/0x390 drivers/base/dd.c:701
	__device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
	bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
	__device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
	device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
	bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
	device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
	usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032
	usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241
	usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272
	really_probe+0xf20/0x20b0 drivers/base/dd.c:529
	driver_probe_device+0x293/0x390 drivers/base/dd.c:701
	__device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
	bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
	__device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
	device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
	bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
	device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
	usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554
	hub_port_connect drivers/usb/core/hub.c:5208 [inline]
	hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]
	port_event drivers/usb/core/hub.c:5494 [inline]
	hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576
	process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
	worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
	kthread+0x551/0x590 kernel/kthread.c:292
	ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

	Local variable ----buf.i87@smsc75xx_bind created at:
	__smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
	smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]
	smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482
	__smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
	smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]
	smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482

	This issue is caused because usbnet_read_cmd() reads less bytes than requested
	(zero byte in the reproducer). In this case, 'buf' is not properly filled.

	This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads
	less bytes than requested.

	The Linux kernel CVE team has assigned CVE-2023-52528 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 4.14.327 with commit 3e0af6eec1789fd11934164a7f4dbcad979855a4
	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 4.19.296 with commit 2a36d9e2995c8c3c3f179aab1215a69cff06cbed
	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 5.4.258 with commit 310f1c92f65ad905b7e81fe14de82d979ebbd825
	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 5.10.198 with commit 30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5
	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 5.15.135 with commit cda10784a176d7192f08ecb518f777a4e9575812
	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 6.1.57 with commit 9ffc5018020fe646795a8dc1203224b8f776dc09
	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 6.5.7 with commit 4931e80da9463b03bfe42be54a9a19f213b0f76d
	Issue introduced in 2.6.34 with commit d0cad871703b898a442e4049c532ec39168e5b57 and fixed in 6.6 with commit e9c65989920f7c28775ec4e0c11b483910fb67b8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52528
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/usb/smsc75xx.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4
	https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed
	https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825
	https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5
	https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812
	https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09
	https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f213b0f76d
	https://git.kernel.org/stable/c/e9c65989920f7c28775ec4e0c11b483910fb67b8