WSL2-Linux-Kernel/drivers/usb/storage
Kees Cook ce33e64c17 USB: ene_usb6250: Allocate enough memory for full object
The allocation of PageBuffer is 512 bytes in size, but the dereferencing
of struct ms_bootblock_idi (also size 512) happens at a calculated offset
within the allocation, which means the object could potentially extend
beyond the end of the allocation. Avoid this case by just allocating
enough space to catch any accesses beyond the end. Seen with GCC 13:

../drivers/usb/storage/ene_ub6250.c: In function 'ms_lib_process_bootblock':
../drivers/usb/storage/ene_ub6250.c:1050:44: warning: array subscript 'struct ms_bootblock_idi[0]' is partly outside array bounds of 'unsigned char[512]' [-Warray-bounds=]
 1050 |                         if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
      |                                            ^~
../include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu'
   37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
      |                                                   ^
../drivers/usb/storage/ene_ub6250.c:1050:29: note: in expansion of macro 'le16_to_cpu'
 1050 |                         if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
      |                             ^~~~~~~~~~~
In file included from ../drivers/usb/storage/ene_ub6250.c:5:
In function 'kmalloc',
    inlined from 'ms_lib_process_bootblock' at ../drivers/usb/storage/ene_ub6250.c:942:15:
../include/linux/slab.h:580:24: note: at offset [256, 512] into object of size 512 allocated by 'kmalloc_trace'
  580 |                 return kmalloc_trace(
      |                        ^~~~~~~~~~~~~~
  581 |                                 kmalloc_caches[kmalloc_type(flags)][index],
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  582 |                                 flags, size);
      |                                 ~~~~~~~~~~~~

Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20230204183546.never.849-kees@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-02-06 13:46:42 +01:00
..
Kconfig USB: storage: replace HTTP links with HTTPS ones 2020-07-09 18:06:12 +02:00
Makefile
alauda.c usb: storage: Add check for kcalloc 2022-12-08 16:43:12 +01:00
cypress_atacb.c scsi: core: Remove the cmd field from struct scsi_request 2022-03-01 22:21:49 -05:00
datafab.c usb: storage: datafab: remove redundant assignment of variable result 2021-04-22 10:52:10 +02:00
debug.c scsi: Remove drivers/scsi/scsi.h 2022-02-22 21:11:02 -05:00
debug.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
ene_ub6250.c USB: ene_usb6250: Allocate enough memory for full object 2023-02-06 13:46:42 +01:00
freecom.c usb: storage: freecom: remove unneeded break 2020-10-28 12:22:50 +01:00
initializers.c
initializers.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
isd200.c usb-storage: isd200: fix initFunction error return 2022-04-21 19:02:42 +02:00
jumpshot.c
karma.c USB: storage: karma: fix rio_karma_init return 2022-04-21 19:03:26 +02:00
onetouch.c usb: move from strlcpy with unused retval to strscpy 2022-08-19 11:08:54 +02:00
option_ms.c
option_ms.h
protocol.c
protocol.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
realtek_cr.c USB: storage: ums-realtek: fix error code in rts51x_read_mem() 2022-03-15 18:21:25 +01:00
scsiglue.c scsi: usb: Switch to attribute groups 2021-10-16 21:45:59 -04:00
scsiglue.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
sddr09.c
sddr55.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
shuttle_usbat.c usb-storage: shuttle_usbat: fix initFunction error return 2022-04-21 19:02:40 +02:00
sierra_ms.c usb-storage: Remove redundant assignments 2021-12-30 12:10:17 +01:00
sierra_ms.h
transport.c USB: storage: Fix typo in comment 2022-06-21 16:39:42 +02:00
transport.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
uas-detect.h usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 2023-01-17 16:37:04 +01:00
uas.c scsi: uas: Drop DID_TARGET_FAILURE use 2022-09-06 22:05:58 -04:00
unusual_alauda.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_cypress.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_datafab.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_devs.h Revert "usb: storage: Add quirk for Samsung Fit flash" 2022-09-22 15:52:31 +02:00
unusual_ene_ub6250.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_freecom.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_isd200.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_jumpshot.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_karma.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_onetouch.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_realtek.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_sddr09.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_sddr55.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
unusual_uas.h usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 2023-01-17 16:37:04 +01:00
unusual_usbat.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
usb.c scsi: usb: storage: Complete the SCSI request directly 2022-02-07 23:14:15 -05:00
usb.h USB: Storage: Use the correct style for SPDX License Identifier 2020-04-23 15:28:14 +02:00
usual-tables.c