| Message ID | 20191105141807.27054-1-tranmanphong@gmail.com (mailing list archive) |
|---|---|
| State | Rejected |
| Delegated to: | Benjamin Tissoires |
| Headers | show |
| Series | HID: hid-lg4ff: Fix uninit-value set_autocenter_default | expand |
On Tue, Nov 5, 2019 at 3:18 PM Phong Tran <tranmanphong@gmail.com> wrote: > > syzbot found a problem using of uinit pointer in > lg4ff_set_autocenter_default(). > > Reported-by: syzbot+1234691fec1b8ceba8b1@syzkaller.appspotmail.com > > Tested by syzbot: > > https://groups.google.com/d/msg/syzkaller-bugs/ApnMLW6sfKE/Qq0bIHGEAQAJ This seems weird to me: the syzbot link above is about `hid_get_drvdata(hid)`, and, as I read it, the possibility that hid might not have an initialized value. Here you are changing the initialized values of value, entry and drv_data, all 3 are never used before their first assignment. I have a feeling this particular syzbot check has already been fixed upstream by d9d4b1e46d95 "HID: Fix assumption that devices have inputs". Cheers, Benjamin > > Signed-off-by: Phong Tran <tranmanphong@gmail.com> > --- > drivers/hid/hid-lg4ff.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c > index 5e6a0cef2a06..44dfd08b0c32 100644 > --- a/drivers/hid/hid-lg4ff.c > +++ b/drivers/hid/hid-lg4ff.c > @@ -468,10 +468,10 @@ static int lg4ff_play(struct input_dev *dev, void *data, struct ff_effect *effec > static void lg4ff_set_autocenter_default(struct input_dev *dev, u16 magnitude) > { > struct hid_device *hid = input_get_drvdata(dev); > - s32 *value; > + s32 *value = NULL; > u32 expand_a, expand_b; > - struct lg4ff_device_entry *entry; > - struct lg_drv_data *drv_data; > + struct lg4ff_device_entry *entry = NULL; > + struct lg_drv_data *drv_data = NULL; > unsigned long flags; > > drv_data = hid_get_drvdata(hid); > -- > 2.20.1 >
On 11/18/19 4:43 PM, Benjamin Tissoires wrote: > On Tue, Nov 5, 2019 at 3:18 PM Phong Tran <tranmanphong@gmail.com> wrote: >> >> syzbot found a problem using of uinit pointer in >> lg4ff_set_autocenter_default(). >> >> Reported-by: syzbot+1234691fec1b8ceba8b1@syzkaller.appspotmail.com >> >> Tested by syzbot: >> >> https://groups.google.com/d/msg/syzkaller-bugs/ApnMLW6sfKE/Qq0bIHGEAQAJ > > This seems weird to me: > > the syzbot link above is about `hid_get_drvdata(hid)`, and, as I read > it, the possibility that hid might not have an initialized value. > In the dashboard [1] shows BUG: KMSAN: uninit-value in dev_get_drvdata include/linux/device.h:1388 [inline] BUG: KMSAN: uninit-value in hid_get_drvdata include/linux/hid.h:628 [inline] BUG: KMSAN: uninit-value in lg4ff_set_autocenter_default+0x23a/0xa20 drivers/hid/hid-lg4ff.c:477 base on that I did the initialization the pointer in the patch. > Here you are changing the initialized values of value, entry and > drv_data, all 3 are never used before their first assignment. > > I have a feeling this particular syzbot check has already been fixed > upstream by d9d4b1e46d95 "HID: Fix assumption that devices have > inputs". > I think the commit d9d4b1 fixed this report [2] by syzbot. [1] https://syzkaller.appspot.com/bug?extid=1234691fec1b8ceba8b1 [2] https://syzkaller.appspot.com/bug?extid=403741a091bf41d4ae79 regards, Phong. > Cheers, > Benjamin > >> >> Signed-off-by: Phong Tran <tranmanphong@gmail.com> >> --- >> drivers/hid/hid-lg4ff.c | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c >> index 5e6a0cef2a06..44dfd08b0c32 100644 >> --- a/drivers/hid/hid-lg4ff.c >> +++ b/drivers/hid/hid-lg4ff.c >> @@ -468,10 +468,10 @@ static int lg4ff_play(struct input_dev *dev, void *data, struct ff_effect *effec >> static void lg4ff_set_autocenter_default(struct input_dev *dev, u16 magnitude) >> { >> struct hid_device *hid = input_get_drvdata(dev); >> - s32 *value; >> + s32 *value = NULL; >> u32 expand_a, expand_b; >> - struct lg4ff_device_entry *entry; >> - struct lg_drv_data *drv_data; >> + struct lg4ff_device_entry *entry = NULL; >> + struct lg_drv_data *drv_data = NULL; >> unsigned long flags; >> >> drv_data = hid_get_drvdata(hid); >> -- >> 2.20.1 >> >
On Tue, Nov 19, 2019 at 2:30 PM Phong Tran <tranmanphong@gmail.com> wrote: > > On 11/18/19 4:43 PM, Benjamin Tissoires wrote: > > On Tue, Nov 5, 2019 at 3:18 PM Phong Tran <tranmanphong@gmail.com> wrote: > >> > >> syzbot found a problem using of uinit pointer in > >> lg4ff_set_autocenter_default(). > >> > >> Reported-by: syzbot+1234691fec1b8ceba8b1@syzkaller.appspotmail.com > >> > >> Tested by syzbot: > >> > >> https://groups.google.com/d/msg/syzkaller-bugs/ApnMLW6sfKE/Qq0bIHGEAQAJ > > > > This seems weird to me: > > > > the syzbot link above is about `hid_get_drvdata(hid)`, and, as I read > > it, the possibility that hid might not have an initialized value. > > > > In the dashboard [1] shows > BUG: KMSAN: uninit-value in dev_get_drvdata include/linux/device.h:1388 > [inline] > BUG: KMSAN: uninit-value in hid_get_drvdata include/linux/hid.h:628 [inline] > BUG: KMSAN: uninit-value in lg4ff_set_autocenter_default+0x23a/0xa20 > drivers/hid/hid-lg4ff.c:477 > base on that I did the initialization the pointer in the patch. > > > Here you are changing the initialized values of value, entry and > > drv_data, all 3 are never used before their first assignment. > > > > I have a feeling this particular syzbot check has already been fixed > > upstream by d9d4b1e46d95 "HID: Fix assumption that devices have > > inputs". > > > > I think the commit d9d4b1 fixed this report [2] by syzbot. > > [1] https://syzkaller.appspot.com/bug?extid=1234691fec1b8ceba8b1 > [2] https://syzkaller.appspot.com/bug?extid=403741a091bf41d4ae79 As you can see in my long discussion with syzbot today, d9d4b1 also fixed that one. https://groups.google.com/forum/#!msg/syzkaller-bugs/ApnMLW6sfKE/Qq0bIHGEAQAJ Cheers, Benjamin > > regards, > Phong. > > Cheers, > > Benjamin > > > >> > >> Signed-off-by: Phong Tran <tranmanphong@gmail.com> > >> --- > >> drivers/hid/hid-lg4ff.c | 6 +++--- > >> 1 file changed, 3 insertions(+), 3 deletions(-) > >> > >> diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c > >> index 5e6a0cef2a06..44dfd08b0c32 100644 > >> --- a/drivers/hid/hid-lg4ff.c > >> +++ b/drivers/hid/hid-lg4ff.c > >> @@ -468,10 +468,10 @@ static int lg4ff_play(struct input_dev *dev, void *data, struct ff_effect *effec > >> static void lg4ff_set_autocenter_default(struct input_dev *dev, u16 magnitude) > >> { > >> struct hid_device *hid = input_get_drvdata(dev); > >> - s32 *value; > >> + s32 *value = NULL; > >> u32 expand_a, expand_b; > >> - struct lg4ff_device_entry *entry; > >> - struct lg_drv_data *drv_data; > >> + struct lg4ff_device_entry *entry = NULL; > >> + struct lg_drv_data *drv_data = NULL; > >> unsigned long flags; > >> > >> drv_data = hid_get_drvdata(hid); > >> -- > >> 2.20.1 > >> > > >
diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c index 5e6a0cef2a06..44dfd08b0c32 100644 --- a/drivers/hid/hid-lg4ff.c +++ b/drivers/hid/hid-lg4ff.c @@ -468,10 +468,10 @@ static int lg4ff_play(struct input_dev *dev, void *data, struct ff_effect *effec static void lg4ff_set_autocenter_default(struct input_dev *dev, u16 magnitude) { struct hid_device *hid = input_get_drvdata(dev); - s32 *value; + s32 *value = NULL; u32 expand_a, expand_b; - struct lg4ff_device_entry *entry; - struct lg_drv_data *drv_data; + struct lg4ff_device_entry *entry = NULL; + struct lg_drv_data *drv_data = NULL; unsigned long flags; drv_data = hid_get_drvdata(hid);
syzbot found a problem using of uinit pointer in lg4ff_set_autocenter_default(). Reported-by: syzbot+1234691fec1b8ceba8b1@syzkaller.appspotmail.com Tested by syzbot: https://groups.google.com/d/msg/syzkaller-bugs/ApnMLW6sfKE/Qq0bIHGEAQAJ Signed-off-by: Phong Tran <tranmanphong@gmail.com> --- drivers/hid/hid-lg4ff.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)