CVE-2023-53847
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb-storage: alauda: Fix uninit-value in alauda_check_media()
Syzbot got KMSAN to complain about access to an uninitialized value in the alauda subdriver of usb-storage:
BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460
The problem is that alauda_check_media() doesn't verify that its USB transfer succeeded before trying to use the received data. What should happen if the transfer fails isn't entirely clear, but a reasonably conservative approach is to pretend that no media is present.
A similar problem exists in a usb_stor_dbg() call in alauda_get_media_status(). In this case, when an error occurs the call is redundant, because usb_stor_ctrl_transfer() already will print a debugging message.
Finally, unrelated to the uninitialized memory access, is the fact that alauda_check_media() performs DMA to a buffer on the stack. Fortunately usb-storage provides a general purpose DMA-able buffer for uses like this. We'll use it instead.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | e80b0fade09ef1ee67b0898d480d4c588f124d5f < 153c3e85873cc3e2f387169783c3a227bad9a95a | affected |
| Linux | Linux | e80b0fade09ef1ee67b0898d480d4c588f124d5f < 49d380bcd6cba987c6085fae6464c9c087e8d9a0 | affected |
| Linux | Linux | e80b0fade09ef1ee67b0898d480d4c588f124d5f < 044f4446e06bb03c52216697b14867ebc555ad3b | affected |
| Linux | Linux | e80b0fade09ef1ee67b0898d480d4c588f124d5f < fe7c3a445d22783d27fe8bd0521a8aab1eb9da65 | affected |
| Linux | Linux | e80b0fade09ef1ee67b0898d480d4c588f124d5f < 7a11d1e2625bdb2346f6586773b20b20977278ac | affected |
| Linux | Linux | e80b0fade09ef1ee67b0898d480d4c588f124d5f < 0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd | affected |
| Linux | Linux | e80b0fade09ef1ee67b0898d480d4c588f124d5f < 373e0ab8c4c516561493f1acf367c7ee7dc053c2 | affected |
| Linux | Linux | e80b0fade09ef1ee67b0898d480d4c588f124d5f < a6ff6e7a9dd69364547751db0f626a10a6d628d2 | affected |
| Linux | Linux | 2.6.16 | affected |
| Linux | Linux | 0 < 2.6.16 | unaffected |
| Linux | Linux | 4.14.323 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.292 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.254 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.191 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.127 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.46 <= 6.1.* | unaffected |
| Linux | Linux | 6.4.11 <= 6.4.* | unaffected |
| Linux | Linux | 6.5 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/153c3e85873cc3e2f387169783c3a227bad9a95a
- https://git.kernel.org/stable/c/49d380bcd6cba987c6085fae6464c9c087e8d9a0
- https://git.kernel.org/stable/c/044f4446e06bb03c52216697b14867ebc555ad3b
- https://git.kernel.org/stable/c/fe7c3a445d22783d27fe8bd0521a8aab1eb9da65
- https://git.kernel.org/stable/c/7a11d1e2625bdb2346f6586773b20b20977278ac
- https://git.kernel.org/stable/c/0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd
- https://git.kernel.org/stable/c/373e0ab8c4c516561493f1acf367c7ee7dc053c2
- https://git.kernel.org/stable/c/a6ff6e7a9dd69364547751db0f626a10a6d628d2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.