lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4375985d-7e0e-b76c-9fdf-5430d2951d51@canonical.com>
Date:   Thu, 11 Mar 2021 10:00:21 +0000
From:   Colin Ian King <colin.king@...onical.com>
To:     Douglas Gilbert <dgilbert@...erlog.com>
Cc:     "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        linux-scsi@...r.kernel.org,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: re: scsi: sg: NO_DXFER move to/from kernel buffers

Hi,

Static analysis on linux-next with Coverity has detected an issue in
drivers/scsi/sg.c with the following recent commit:

commit b32ac463cb59e758b4560260fd168a2b4ea6e81a
Author: Douglas Gilbert <dgilbert@...erlog.com>
Date:   Fri Feb 19 21:00:54 2021 -0500

    scsi: sg: NO_DXFER move to/from kernel buffers

The analysis is as follows:

2973 sg_rq_map_kern(struct sg_request *srp, struct request_queue *q,
struct request *rqq, int rw_ind)
2974 {
2975        struct sg_scatter_hold *schp = &srp->sgat_h;
2976        struct bio *bio;

    1. var_decl: Declaring variable k without initializer.

2977        int k, ln;
2978        int op_flags = 0;
2979        int num_sgat = schp->num_sgat;
2980        int dlen = schp->dlen;
2981        int pg_sz = 1 << (PAGE_SHIFT + schp->page_order);
2982        int num_segs = (1 << schp->page_order) * num_sgat;
2983        int res = 0;
2984

    2. Condition _sdp, taking true branch.
    3. Condition _sdp->disk, taking true branch.
    4. Condition !!(_sdp && _sdp->disk), taking true branch.
    5. Condition !!(((scsi_logging_level >> 3) & 7U /* (1 << 3) - 1 */)
> 4), taking true branch.
    6. Condition !!(((scsi_logging_level >> 3) & 7U /* (1 << 3) - 1 */)
> 4), taking true branch.
    7. Falling through to end of if statement.

2985        SG_LOG(4, srp->parentfp, "%s: dlen=%d, pg_sz=%d\n",
__func__, dlen, pg_sz);

    8. Condition num_sgat <= 0, taking false branch.

2986        if (num_sgat <= 0)
2987                return 0;

    9. Condition rw_ind == 1, taking true branch.

2988        if (rw_ind == WRITE)
2989                op_flags = REQ_SYNC | REQ_IDLE;
    Uninitialized scalar variable
    10. uninit_use: Using uninitialized value k.

2990        bio = sg_mk_kern_bio(num_sgat - k);
2991        if (!bio)

Variable k is not initialized, however it is being read when it contains
a garbage value.

Colin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ