mirror of
https://github.com/torvalds/linux
synced 2024-10-07 20:05:15 +00:00
a6ff6e7a9d
Syzbot got KMSAN to complain about access to an uninitialized value in
the alauda subdriver of usb-storage:
BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0
drivers/usb/storage/alauda.c:1137
CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x191/0x1f0 lib/dump_stack.c:113
kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108
__msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250
alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460
The problem is that alauda_check_media() doesn't verify that its USB
transfer succeeded before trying to use the received data. What
should happen if the transfer fails isn't entirely clear, but a
reasonably conservative approach is to pretend that no media is
present.
A similar problem exists in a usb_stor_dbg() call in
alauda_get_media_status(). In this case, when an error occurs the
call is redundant, because usb_stor_ctrl_transfer() already will print
a debugging message.
Finally, unrelated to the uninitialized memory access, is the fact
that alauda_check_media() performs DMA to a buffer on the stack.
Fortunately usb-storage provides a general purpose DMA-able buffer for
uses like this. We'll use it instead.
Reported-and-tested-by: syzbot+e7d46eb426883fb97efd@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/0000000000007d25ff059457342d@google.com/T/
Suggested-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes:
|
||
|---|---|---|
| .. | ||
| alauda.c | ||
| cypress_atacb.c | ||
| datafab.c | ||
| debug.c | ||
| debug.h | ||
| ene_ub6250.c | ||
| freecom.c | ||
| initializers.c | ||
| initializers.h | ||
| isd200.c | ||
| jumpshot.c | ||
| karma.c | ||
| Kconfig | ||
| Makefile | ||
| onetouch.c | ||
| option_ms.c | ||
| option_ms.h | ||
| protocol.c | ||
| protocol.h | ||
| realtek_cr.c | ||
| scsiglue.c | ||
| scsiglue.h | ||
| sddr09.c | ||
| sddr55.c | ||
| shuttle_usbat.c | ||
| sierra_ms.c | ||
| sierra_ms.h | ||
| transport.c | ||
| transport.h | ||
| uas-detect.h | ||
| uas.c | ||
| unusual_alauda.h | ||
| unusual_cypress.h | ||
| unusual_datafab.h | ||
| unusual_devs.h | ||
| unusual_ene_ub6250.h | ||
| unusual_freecom.h | ||
| unusual_isd200.h | ||
| unusual_jumpshot.h | ||
| unusual_karma.h | ||
| unusual_onetouch.h | ||
| unusual_realtek.h | ||
| unusual_sddr09.h | ||
| unusual_sddr55.h | ||
| unusual_uas.h | ||
| unusual_usbat.h | ||
| usb.c | ||
| usb.h | ||
| usual-tables.c | ||