1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
linux/drivers/usb/storage
Kees Cook ce33e64c17 USB: ene_usb6250: Allocate enough memory for full object
The allocation of PageBuffer is 512 bytes in size, but the dereferencing
of struct ms_bootblock_idi (also size 512) happens at a calculated offset
within the allocation, which means the object could potentially extend
beyond the end of the allocation. Avoid this case by just allocating
enough space to catch any accesses beyond the end. Seen with GCC 13:

../drivers/usb/storage/ene_ub6250.c: In function 'ms_lib_process_bootblock':
../drivers/usb/storage/ene_ub6250.c:1050:44: warning: array subscript 'struct ms_bootblock_idi[0]' is partly outside array bounds of 'unsigned char[512]' [-Warray-bounds=]
 1050 |                         if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
      |                                            ^~
../include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu'
   37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
      |                                                   ^
../drivers/usb/storage/ene_ub6250.c:1050:29: note: in expansion of macro 'le16_to_cpu'
 1050 |                         if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
      |                             ^~~~~~~~~~~
In file included from ../drivers/usb/storage/ene_ub6250.c:5:
In function 'kmalloc',
    inlined from 'ms_lib_process_bootblock' at ../drivers/usb/storage/ene_ub6250.c:942:15:
../include/linux/slab.h:580:24: note: at offset [256, 512] into object of size 512 allocated by 'kmalloc_trace'
  580 |                 return kmalloc_trace(
      |                        ^~~~~~~~~~~~~~
  581 |                                 kmalloc_caches[kmalloc_type(flags)][index],
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  582 |                                 flags, size);
      |                                 ~~~~~~~~~~~~

Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20230204183546.never.849-kees@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-02-06 13:46:42 +01:00
..
alauda.c usb: storage: Add check for kcalloc 2022-12-08 16:43:12 +01:00
cypress_atacb.c scsi: core: Remove the cmd field from struct scsi_request 2022-03-01 22:21:49 -05:00
datafab.c usb: storage: datafab: remove redundant assignment of variable result 2021-04-22 10:52:10 +02:00
debug.c scsi: Remove drivers/scsi/scsi.h 2022-02-22 21:11:02 -05:00
debug.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
ene_ub6250.c USB: ene_usb6250: Allocate enough memory for full object 2023-02-06 13:46:42 +01:00
freecom.c usb: storage: freecom: remove unneeded break 2020-10-28 12:22:50 +01:00
initializers.c USB: storage: remove invalid URL from drivers 2018-01-23 10:22:34 +01:00
initializers.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
isd200.c usb-storage: isd200: fix initFunction error return 2022-04-21 19:02:42 +02:00
jumpshot.c usb-storage: export symbols in USB_STORAGE namespace 2019-09-10 10:30:57 +02:00
karma.c USB: storage: karma: fix rio_karma_init return 2022-04-21 19:03:26 +02:00
Kconfig USB: storage: replace HTTP links with HTTPS ones 2020-07-09 18:06:12 +02:00
Makefile usb-storage: export symbols in USB_STORAGE namespace 2019-09-10 10:30:57 +02:00
onetouch.c usb: move from strlcpy with unused retval to strscpy 2022-08-19 11:08:54 +02:00
option_ms.c USB: storage: Remove redundant license text 2017-11-04 11:55:38 +01:00
option_ms.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
protocol.c USB: storage: remove invalid URL from drivers 2018-01-23 10:22:34 +01:00
protocol.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
realtek_cr.c USB: storage: ums-realtek: fix error code in rts51x_read_mem() 2022-03-15 18:21:25 +01:00
scsiglue.c scsi: usb: Switch to attribute groups 2021-10-16 21:45:59 -04:00
scsiglue.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
sddr09.c usb-storage: export symbols in USB_STORAGE namespace 2019-09-10 10:30:57 +02:00
sddr55.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
shuttle_usbat.c usb-storage: shuttle_usbat: fix initFunction error return 2022-04-21 19:02:40 +02:00
sierra_ms.c usb-storage: Remove redundant assignments 2021-12-30 12:10:17 +01:00
sierra_ms.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
transport.c USB: storage: Fix typo in comment 2022-06-21 16:39:42 +02:00
transport.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
uas-detect.h usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 2023-01-17 16:37:04 +01:00
uas.c scsi: uas: Drop DID_TARGET_FAILURE use 2022-09-06 22:05:58 -04:00
unusual_alauda.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_cypress.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_datafab.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_devs.h Revert "usb: storage: Add quirk for Samsung Fit flash" 2022-09-22 15:52:31 +02:00
unusual_ene_ub6250.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_freecom.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_isd200.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_jumpshot.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_karma.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_onetouch.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_realtek.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_sddr09.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_sddr55.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_uas.h usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 2023-01-17 16:37:04 +01:00
unusual_usbat.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
usb.c scsi: usb: storage: Complete the SCSI request directly 2022-02-07 23:14:15 -05:00
usb.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
usual-tables.c usb-storage: Use const to reduce object data size 2020-02-19 11:08:52 +01:00