Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3484810ybi;
        Mon, 29 Jul 2019 07:22:07 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwUYZ8KSpSzpheuOt8VDxymTcGdNU32X77otUNYF3IRwpNttKJrY/F1C6qH+BPZ+i0Mcvyx
X-Received: by 2002:a17:90a:f98a:: with SMTP id cq10mr112628326pjb.43.1564410127226;
        Mon, 29 Jul 2019 07:22:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564410127; cv=none;
        d=google.com; s=arc-20160816;
        b=L1i3YkX3R4ONuKbs9dr2Da0u2dVlBTj0C2BvfBMsj7SC5uAk88PXBGahiJXs7eQFca
         KlHiD+Z95mh8cyjrJgUAQoTqNbtLYUEXmOdXgrfKshnwJslccG8DK/4Mur+DnkngcCS5
         5JjOOXzRMTD7mr/KtTIKs8be+beNA6REkiqLJAsaCvQlG7WWa9HovePRD9tf6vk2aIMH
         w6SMBcF8WWRgxGLS2oz2fE0wWDucTFX3vDYXrJaMT99Hns5MXIBLM+sJ+2Qr45B8wXmP
         2ZehAI+MkYeBDEhxznbZ8jYGHamU6GhXThQgOYLr9E4b1q5f6VSyzc5ToNYTWg1SIGQV
         reHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=r096IGyDbuxfBVd0Z9dik7JTTwA3yJhb4D9T9QLWkCI=;
        b=yJxgP4Ej/vXtsESDjfJwbeWQs6bu3m6atMC5dZybdysfTNUxjBdUQZeOv6sy4xV3f5
         BfUKQR02Tycz0I+Bhyd1RMn9CXlmWgFQ6+E95iHYYKHlPYG1wUoJv3Rl1B6NZ+iMRp3T
         NrMW0bzdxUdS5D2iMYN1XmhYAFRbVYBxXXNeBLHpQj/clCAX1C4Q7Yagy1EtNL8WuMlt
         OaSmVFO9Xk+07Cq9zKIMwoqnNbCwm547GCZtAsY30pGxbLc+IcNPPz3L0njmGFtnkto2
         65cp1UrrMFuiw8BIWk2hr66D5j4tRRssGCmdFB/1K9bVbwniGXPkJuXHYiJb+AltX9cR
         hjEg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g1si27434570pfh.47.2019.07.29.07.21.52;
        Mon, 29 Jul 2019 07:22:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727541AbfG2NoW (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Mon, 29 Jul 2019 09:44:22 -0400
Received: from netrider.rowland.org ([192.131.102.5]:58619 "HELO
        netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1726926AbfG2NoW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Jul 2019 09:44:22 -0400
Received: (qmail 23760 invoked by uid 500); 29 Jul 2019 09:44:21 -0400
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 29 Jul 2019 09:44:21 -0400
Date:   Mon, 29 Jul 2019 09:44:21 -0400 (EDT)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@netrider.rowland.org
To:     Jia-Ju Bai <baijiaju1990@gmail.com>
cc:     gregkh@linuxfoundation.org, USB list <linux-usb@vger.kernel.org>,
        USB Storage list <usb-storage@lists.one-eyed-alien.net>,
        Kernel development list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] usb: storage: sddr55: Fix a possible null-pointer
 dereference in sddr55_transport()
In-Reply-To: <20190729114936.6103-1-baijiaju1990@gmail.com>
Message-ID: <Pine.LNX.4.44L0.1907290939250.22244-100000@netrider.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 29 Jul 2019, Jia-Ju Bai wrote:

> In sddr55_transport(), there is an if statement on line 836 to check
> whether info->lba_to_pba is NULL:
>     if (info->lba_to_pba == NULL || ...)
> 
> When info->lba_to_pba is NULL, it is used on line 948:
>     pba = info->lba_to_pba[lba];
> 
> Thus, a possible null-pointer dereference may occur.
> 
> To fix this bug, info->lba_to_pba is checked before being used.
> 
> This bug is found by a static analysis tool STCheck written by us.

This is not the right way to fix the bug.

The code already contains a test on line 938:

		if (lba >= info->max_log_blks) {

If this test fails, the driver doesn't try to dereference 
info->lba_to_pba.

The problem is that info->max_log_blks may be set even though 
info->lba_to_pba is NULL, because the READ_CAPACITY case in 
sddr55_transport() doesn't check the return code from 
sddr55_read_map().  _That_ is what needs to be fixed.

Alan Stern

> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
> v2:
> * Avoid uninitialized access of pba.
>   Thank Oliver for helpful advice.
> 
> ---
>  drivers/usb/storage/sddr55.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/storage/sddr55.c b/drivers/usb/storage/sddr55.c
> index b8527c55335b..d23aff16091e 100644
> --- a/drivers/usb/storage/sddr55.c
> +++ b/drivers/usb/storage/sddr55.c
> @@ -945,7 +945,7 @@ static int sddr55_transport(struct scsi_cmnd *srb, struct us_data *us)
>  			return USB_STOR_TRANSPORT_FAILED;
>  		}
>  
> -		pba = info->lba_to_pba[lba];
> +		pba = info->lba_to_pba ? info->lba_to_pba[lba] : 0;
>  
>  		if (srb->cmnd[0] == WRITE_10) {
>  			usb_stor_dbg(us, "WRITE_10: write block %04X (LBA %04X) page %01X pages %d\n",
>