CVE-2025-38153

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: aqc111: fix error handling of usbnet read calls<br /> <br /> Syzkaller, courtesy of syzbot, identified an error (see report [1]) in<br /> aqc111 driver, caused by incomplete sanitation of usb read calls&amp;#39;<br /> results. This problem is quite similar to the one fixed in commit<br /> 920a9fa27e78 ("net: asix: add proper error handling of usb read errors").<br /> <br /> For instance, usbnet_read_cmd() may read fewer than &amp;#39;size&amp;#39; bytes,<br /> even if the caller expected the full amount, and aqc111_read_cmd()<br /> will not check its result properly. As [1] shows, this may lead<br /> to MAC address in aqc111_bind() being only partly initialized,<br /> triggering KMSAN warnings.<br /> <br /> Fix the issue by verifying that the number of bytes read is<br /> as expected and not less.<br /> <br /> [1] Partial syzbot report:<br /> BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]<br /> BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830<br /> is_valid_ether_addr include/linux/etherdevice.h:208 [inline]<br /> usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830<br /> usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396<br /> call_driver_probe drivers/base/dd.c:-1 [inline]<br /> really_probe+0x4d1/0xd90 drivers/base/dd.c:658<br /> __driver_probe_device+0x268/0x380 drivers/base/dd.c:800<br /> ...<br /> <br /> Uninit was stored to memory at:<br /> dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582<br /> __dev_addr_set include/linux/netdevice.h:4874 [inline]<br /> eth_hw_addr_set include/linux/etherdevice.h:325 [inline]<br /> aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717<br /> usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772<br /> usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396<br /> ...<br /> <br /> Uninit was stored to memory at:<br /> ether_addr_copy include/linux/etherdevice.h:305 [inline]<br /> aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]<br /> aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713<br /> usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772<br /> usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396<br /> call_driver_probe drivers/base/dd.c:-1 [inline]<br /> ...<br /> <br /> Local variable buf.i created at:<br /> aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]<br /> aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713<br /> usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772