Thread (15 messages) 15 messages, 7 authors, 2021-12-29

Re: KMSAN: uninit-value in alauda_check_media

From: Alan Stern <stern@rowland.harvard.edu>
Date: 2021-12-29 16:45:28
Also in: kernel-janitors, lkml 

On Wed, Dec 29, 2021 at 10:16:22AM +0100, Christophe JAILLET wrote:
Le 28/12/2021 à 23:49, Alan Stern a écrit :
quoted
On Tue, Dec 28, 2021 at 08:47:15AM +0100, Christophe JAILLET wrote:
quoted
Hi,

(2nd try - text only format - sorry for the noise)


first try to use syzbot. I hope I do it right.
Discussion about the syz report can be found at
https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d@google.com/ (local)

This patch only test if alauda_get_media_status() (and its embedded
usb_stor_ctrl_transfer()) before using the data.
In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
master

CJ
quoted
diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c
index 20b857e97e60..6c486d964911 100644
--- a/drivers/usb/storage/alauda.c
+++ b/drivers/usb/storage/alauda.c
@@ -318,7 +318,8 @@ static int alauda_get_media_status(struct us_data *us, unsigned char *data)
  	rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe,
  		command, 0xc0, 0, 1, data, 2);
-	usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]);
+	if (rc == USB_STOR_XFER_GOOD)
+		usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]);
Instead of adding this test, you could initialize data[0] and data[1]
to zero before the call to usb_stor_ctrl_transfer.
Well, having the test is cleaner, IMHO.
If usb_stor_ctrl_transfer() fails, a message explaining the reason is
already generated by the same usb_stor_dbg(). Having an error message
followed by another one stating that the Media Status is 0x00 0x00 could be
confusing I think.

Let me know if you have a real preference for a memset(data, 0, 2).
If so, I'll add it.

quoted
quoted
  	return rc;
  }
@@ -453,8 +454,11 @@ static int alauda_check_media(struct us_data *us)
  {
  	struct alauda_info *info = (struct alauda_info *) us->extra;
  	unsigned char status[2];
+	int rc;
-	alauda_get_media_status(us, status);
+	rc = alauda_get_media_status(us, status);
+	if (rc != USB_STOR_TRANSPORT_GOOD)
+		return USB_STOR_TRANSPORT_ERROR;
  	/* Check for no media or door open */
  	if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10)
In general this looks fine.  Let us know when you are ready to submit
the patch.
I was unsure that this patch would get any interest because the driver looks
old. That's why I first tried to play with syzbot :)
It is indeed old.  I doubt very many devices of this type are still in 
use.

In the syzbot history, you also mentioned that 'unsigned char status[2]'
should be 'unsigned char *status = us->iobuf;'

This is more a blind fix for me, but it looks consistent with other places
that call alauda_get_media_status().

So, once you confirm if you prefer my 'if' or a 'memset', I'll resend a
small serie for fixing both issues.
"if" and "memset" are both acceptable.  You can use either one.

Alan Stern
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help