net: usb: asix: validate PHY address before use

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The ASIX driver reads the PHY address from the USB device via
asix_read_phy_addr(). A malicious or faulty device can return an
invalid address (>= PHY_MAX_ADDR), which causes a warning in
mdiobus_get_phy():

addr 207 out of range
WARNING: drivers/net/phy/mdio_bus.c:76

Validate the PHY address in asix_read_phy_addr() and remove the
now-redundant check in ax88172a.c.

Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232
Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

authored by

Deepanshu Kartikey and committed by

Paolo Abeni 3 months ago a1e077a3 a4f800c4

+6 -5

2 changed files

expand all

drivers

net

usb

asix_common.c

ax88172a.c

drivers/net/usb/asix_common.c

··· 335 335 offset = (internal ? 1 : 0); 336 336 ret = buf[offset]; 337 337 338 + if (ret >= PHY_MAX_ADDR) { 339 + netdev_err(dev->net, "invalid PHY address: %d\n", ret); 340 + return -ENODEV; 341 + } 342 + 338 343 netdev_dbg(dev->net, "%s PHY address 0x%x\n", 339 344 internal ? "internal" : "external", ret); 340 345

+1 -5

drivers/net/usb/ax88172a.c

··· 210 210 ret = asix_read_phy_addr(dev, priv->use_embdphy); 211 211 if (ret < 0) 212 212 goto free; 213 - if (ret >= PHY_MAX_ADDR) { 214 - netdev_err(dev->net, "Invalid PHY address %#x\n", ret); 215 - ret = -ENODEV; 216 - goto free; 217 - } 213 + 218 214 priv->phy_addr = ret; 219 215 220 216 ax88172a_reset_phy(dev, priv->use_embdphy);