Acknowledged
Created: Jul 4, 2025
Updated: Jul 8, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net: usb: aqc111: fix error handling of usbnet read calls[EOL][EOL]Syzkaller, courtesy of syzbot, identified an error (see report [1]) in[EOL]aqc111 driver, caused by incomplete sanitation of usb read calls'[EOL]results. This problem is quite similar to the one fixed in commit[EOL]920a9fa27e78 ("net: asix: add proper error handling of usb read errors").[EOL][EOL]For instance, usbnet_read_cmd() may read fewer than 'size' bytes,[EOL]even if the caller expected the full amount, and aqc111_read_cmd()[EOL]will not check its result properly. As [1] shows, this may lead[EOL]to MAC address in aqc111_bind() being only partly initialized,[EOL]triggering KMSAN warnings.[EOL][EOL]Fix the issue by verifying that the number of bytes read is[EOL]as expected and not less.[EOL][EOL][1] Partial syzbot report:[EOL]BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline][EOL]BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830[EOL] is_valid_ether_addr include/linux/etherdevice.h:208 [inline][EOL] usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830[EOL] usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396[EOL] call_driver_probe drivers/base/dd.c:-1 [inline][EOL] really_probe+0x4d1/0xd90 drivers/base/dd.c:658[EOL] __driver_probe_device+0x268/0x380 drivers/base/dd.c:800[EOL]...[EOL][EOL]Uninit was stored to memory at:[EOL] dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582[EOL] __dev_addr_set include/linux/netdevice.h:4874 [inline][EOL] eth_hw_addr_set include/linux/etherdevice.h:325 [inline][EOL] aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717[EOL] usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772[EOL] usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396[EOL]...[EOL][EOL]Uninit was stored to memory at:[EOL] ether_addr_copy include/linux/etherdevice.h:305 [inline][EOL] aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline][EOL] aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713[EOL] usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772[EOL] usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396[EOL] call_driver_probe drivers/base/dd.c:-1 [inline][EOL]...[EOL][EOL]Local variable buf.i created at:[EOL] aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline][EOL] aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713[EOL] usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
CREATE(Triage):(User=lchen-cn) [CVE-2025-38153 (https://nvd.nist.gov/vuln/detail/CVE-2025-38153)
