lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <yq1pmxj526p.fsf@ca-mkp.ca.oracle.com>
Date:   Fri, 21 May 2021 16:00:10 -0400
From:   "Martin K. Petersen" <martin.petersen@...cle.com>
To:     Phillip Potter <phil@...lpotter.co.uk>
Cc:     jejb@...ux.ibm.com, martin.petersen@...cle.com,
        linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] scsi: sd: skip checks when media is present if
 sd_read_capacity reports zero


Hello Phillip!

> In sd_revalidate_disk, if sdkp->media_present is set, then sdkp->capacity
> should not be zero. Therefore, jump to end of if block and skip remaining
> checks/calls. Fixes a KMSAN-found uninit-value bug reported by syzbot at:
> https://syzkaller.appspot.com/bug?id=197c8a3a2de61720a9b500ad485a7aba0065c6af

The reported read of an uninitialized value is in scsi_mode_sense()
while inspecting a buffer returned from sending a MODE SENSE command to
the device. The buffer in question is memset() before executing the MODE
SENSE command. And we only look at the buffer contents if the MODE SENSE
operation was successful.

As far as I can tell the only way to end up reading uninitialized data
is if the device successfully completes the command but fails to
transfer the data buffer.

But maybe I'm missing something?

-- 
Martin K. Petersen	Oracle Linux Engineering

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ