CVE-2023-52528

In the Linux kernel, the following vulnerability has been resolved:

net: usb: smsc75xx: Fix uninit-value access in __smsc75xxreadreg

syzbot reported the following uninit-value access issue:

===================================================== BUG: KMSAN: uninit-value in smsc75xxwaitready drivers/net/usb/smsc75xx.c:975 [inline] BUG: KMSAN: uninit-value in smsc75xxbind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usbhubwq hubevent Call Trace: __dumpstack lib/dumpstack.c:77 [inline] dumpstack+0x21c/0x280 lib/dumpstack.c:118 kmsanreport+0xf7/0x1e0 mm/kmsan/kmsanreport.c:121 __msanwarning+0x58/0xa0 mm/kmsan/kmsaninstr.c:215 smsc75xxwaitready drivers/net/usb/smsc75xx.c:975 [inline] smsc75xxbind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 usbnetprobe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737 usbprobeinterface+0xece/0x1550 drivers/usb/core/driver.c:374 reallyprobe+0xf20/0x20b0 drivers/base/dd.c:529 driverprobe_device+0x293/0x390 drivers/base/dd.c:701 __deviceattachdriver+0x63f/0x830 drivers/base/dd.c:807 busforeach_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __deviceattach+0x4e2/0x7f0 drivers/base/dd.c:873 deviceinitialprobe+0x4a/0x60 drivers/base/dd.c:920 busprobedevice+0x177/0x3d0 drivers/base/bus.c:491 deviceadd+0x3b0e/0x40d0 drivers/base/core.c:2680 usbsetconfiguration+0x380f/0x3f10 drivers/usb/core/message.c:2032 usbgenericdriverprobe+0x138/0x300 drivers/usb/core/generic.c:241 usbprobedevice+0x311/0x490 drivers/usb/core/driver.c:272 reallyprobe+0xf20/0x20b0 drivers/base/dd.c:529 driverprobedevice+0x293/0x390 drivers/base/dd.c:701 __deviceattachdriver+0x63f/0x830 drivers/base/dd.c:807 bus_foreachdrv+0x2ca/0x3f0 drivers/base/bus.c:431 _deviceattach+0x4e2/0x7f0 drivers/base/dd.c:873 deviceinitialprobe+0x4a/0x60 drivers/base/dd.c:920 busprobedevice+0x177/0x3d0 drivers/base/bus.c:491 deviceadd+0x3b0e/0x40d0 drivers/base/core.c:2680 usbnewdevice+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554 hubportconnect drivers/usb/core/hub.c:5208 [inline] hubportconnectchange drivers/usb/core/hub.c:5348 [inline] portevent drivers/usb/core/hub.c:5494 [inline] hubevent+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576 processonework+0x1688/0x2140 kernel/workqueue.c:2269 workerthread+0x10bc/0x2730 kernel/workqueue.c:2415 kthread+0x551/0x590 kernel/kthread.c:292 retfromfork+0x1f/0x30 arch/x86/entry/entry64.S:293

Local variable ----buf.i87@smsc75xx_bind created at: __smsc75xxreadreg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xxwaitready drivers/net/usb/smsc75xx.c:968 [inline] smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482 _smsc75xxreadreg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xxwaitready drivers/net/usb/smsc75xx.c:968 [inline] smsc75xxbind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482

This issue is caused because usbnetreadcmd() reads less bytes than requested (zero byte in the reproducer). In this case, 'buf' is not properly filled.

This patch fixes the issue by returning -ENODATA if usbnetreadcmd() reads less bytes than requested.