Message-ID: <156fb7f1-cf12-e6cb-63c0-5c0413ce2b2e@wanadoo.fr>
Date:   Wed, 29 Dec 2021 10:16:22 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.3.1
Subject: Re: KMSAN: uninit-value in alauda_check_media
Content-Language: en-US
To:     Alan Stern <stern@rowland.harvard.edu>
Cc:     glider@google.com, gregkh@linuxfoundation.org,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        syzkaller-bugs@googlegroups.com,
        usb-storage@lists.one-eyed-alien.net,
        Kernel Janitors <kernel-janitors@vger.kernel.org>
References: <0000000000007d25ff059457342d@google.com>
 <f78b974a-e36b-6d23-6977-fdf50c05600b@wanadoo.fr>
 <YcuUX6BVo+HA1TcI@rowland.harvard.edu>
From:   Christophe JAILLET <christophe.jaillet@wanadoo.fr>
In-Reply-To: <YcuUX6BVo+HA1TcI@rowland.harvard.edu>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Precedence: bulk

Le 28/12/2021 à 23:49, Alan Stern a écrit :
> On Tue, Dec 28, 2021 at 08:47:15AM +0100, Christophe JAILLET wrote:
>> Hi,
>>
>> (2nd try - text only format - sorry for the noise)
>>
>>
>> first try to use syzbot. I hope I do it right.
>> Discussion about the syz report can be found at
>> https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d@google.com/
>>
>> This patch only test if alauda_get_media_status() (and its embedded
>> usb_stor_ctrl_transfer()) before using the data.
>> In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere.
>>
>> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
>> master
>>
>> CJ
>>
> 
>> diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c
>> index 20b857e97e60..6c486d964911 100644
>> --- a/drivers/usb/storage/alauda.c
>> +++ b/drivers/usb/storage/alauda.c
>> @@ -318,7 +318,8 @@ static int alauda_get_media_status(struct us_data *us, unsigned char *data)
>>   	rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe,
>>   		command, 0xc0, 0, 1, data, 2);
>>   
>> -	usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]);
>> +	if (rc == USB_STOR_XFER_GOOD)
>> +		usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]);
> 
> Instead of adding this test, you could initialize data[0] and data[1]
> to zero before the call to usb_stor_ctrl_transfer.

Well, having the test is cleaner, IMHO.
If usb_stor_ctrl_transfer() fails, a message explaining the reason is 
already generated by the same usb_stor_dbg(). Having an error message 
followed by another one stating that the Media Status is 0x00 0x00 could 
be confusing I think.

Let me know if you have a real preference for a memset(data, 0, 2).
If so, I'll add it.

> 
>>   
>>   	return rc;
>>   }
>> @@ -453,8 +454,11 @@ static int alauda_check_media(struct us_data *us)
>>   {
>>   	struct alauda_info *info = (struct alauda_info *) us->extra;
>>   	unsigned char status[2];
>> +	int rc;
>>   
>> -	alauda_get_media_status(us, status);
>> +	rc = alauda_get_media_status(us, status);
>> +	if (rc != USB_STOR_TRANSPORT_GOOD)
>> +		return USB_STOR_TRANSPORT_ERROR;
>>   
>>   	/* Check for no media or door open */
>>   	if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10)
> 
> In general this looks fine.  Let us know when you are ready to submit
> the patch.

I was unsure that this patch would get any interest because the driver 
looks old. That's why I first tried to play with syzbot :)

In the syzbot history, you also mentioned that 'unsigned char status[2]' 
should be 'unsigned char *status = us->iobuf;'

This is more a blind fix for me, but it looks consistent with other 
places that call alauda_get_media_status().

So, once you confirm if you prefer my 'if' or a 'memset', I'll resend a 
small serie for fixing both issues.

CJ


> 
> Alan Stern
>