lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACT4Y+ZSLKWJK6yrLG6=ej4-1_uxnqGhS05rBiD=eFX3GETFEw@mail.gmail.com>
Date:   Fri, 26 Mar 2021 08:40:00 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Pavel Skripkin <paskripkin@...il.com>
Cc:     Greg KH <gregkh@...uxfoundation.org>,
        Alaa Emad <alaaemadhossney.ae@...il.com>,
        Hans Verkuil <hverkuil@...all.nl>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Linux Media Mailing List <linux-media@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>,
        syzbot+a4e309017a5f3a24c7b3@...kaller.appspotmail.com
Subject: Re: [PATCH] media: sq905.c: fix uninitialized variable

On Fri, Mar 26, 2021 at 8:24 AM Pavel Skripkin <paskripkin@...il.com> wrote:
>
> Hi!
>
> On Fri, 2021-03-26 at 08:14 +0100, 'Dmitry Vyukov' via syzkaller wrote:
> > On Fri, Mar 26, 2021 at 8:11 AM Greg KH <gregkh@...uxfoundation.org>
> > wrote:
> > >
> > > On Thu, Mar 25, 2021 at 11:22:02PM +0200, Alaa Emad wrote:
> > > > Reported-by: syzbot+a4e309017a5f3a24c7b3@...kaller.appspotmail.com
> > > > Signed-off-by: Alaa Emad <alaaemadhossney.ae@...il.com>
> > > > ---
> > >
> > > I know I do not take patches with no changelog text, but other
> > > maintainers might be more leniant :(
> >
> > I wonder if it's the right fix or not.
> > Initializing variables will, of course, silence the warning, but it's
> > not necessarily the right fix. I suspect there is something wrong in
> > how ret/act_len are user/checked.
> >
>
> There is a problem in usb_bulk_msg() call. It could return before
> act_len initialization, so i think, act_len should be intialized with
> smth wrong like 0 or -1. BTW, I already send patch for that, but it was
> marked as obsoleted.

If usb_bulk_msg returns before act_len initialization, it should
signify that fact with an error code in return value or something,
right? It does not initialize act_len only in case of errors, right?
If so, sq905_read_data must check ret and don't use act_for any
checks. But it does, and that's I think the bug. Or maybe usb_bulk_msg
does not properly signify that it failed (and did not initialize
act_len). Either way silencing the warning with pre-initializing
act_len looks very fishy.
For example, consider, in some contexts it's OK to transmit 0-length
packets, I don't know if it's the case for usb_bulk_msg or not, but it
does not affect the idea. Now, if we pre-initialize act_len to 0, we
can falsely think that such 0-length transfer has succeeded (act_len
== size), while it actually failed (I assume so since usb_bulk_msg
left act_len unitialized).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ