The syzbot reported a kernel-usb-infoleak in usbtmc_write.
The expression "aligned = (transfersize + (USBTMC_HEADER_SIZE + 3)) & ~3;"
in usbtmcw_write() follows the following pattern:
aligned = (1 + 12 + 3) & ~3 = 16 // 3 bytes have not been initialized
aligned = (2 + 12 + 3) & ~3 = 16 // 2 bytes have not been initialized
aligned = (3 + 12 + 3) & ~3 = 16 // 1 byte has not been initialized
aligned = (4 + 12 + 3) & ~3 = 16 // All bytes have been initialized
aligned = (5 + 12 + 3) & ~3 = 20 // 3 bytes have not been initialized
aligned = (6 + 12 + 3) & ~3 = 20 // 2 bytes have not been initialized
aligned = (7 + 12 + 3) & ~3 = 20 // 1 byte has not been initialized
aligned = (8 + 12 + 3) & ~3 = 20 // All bytes have been initialized
aligned = (9 + 12 + 3) & ~3 = 24
...
Note: #define USBTMC_HEADER_SIZE 12
This results in the buffer[USBTMC_SEAD_SIZE+transfersize] and its
subsequent memory not being initialized.
The condition aligned < buflen is used to avoid out of bounds access to
the buffer[USBTMC_HEADER_SIZE + transfersize] when "transfersize =
buflen - USBTMC_HEADER_SIZE".
Fixes: 4ddc645f40e9 ("usb: usbtmc: Add ioctl for vendor specific write")
Reported-and-tested-by: syzbot+9d34f80f841e948c3fdb@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=9d34f80f841e948c3fdb
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
---
drivers/usb/class/usbtmc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c
index 6bd9fe565385..faf8c5508997 100644
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -1591,6 +1591,10 @@ static ssize_t usbtmc_write(struct file *filp, const char __user *buf,
goto exit;
}
+ if (aligned < buflen && (transfersize % 4))
+ memset(&buffer[USBTMC_HEADER_SIZE + transfersize], 0,
+ aligned - USBTMC_HEADER_SIZE - transfersize);
+
dev_dbg(&data->intf->dev, "%s(size:%u align:%u)\n", __func__,
(unsigned int)transfersize, (unsigned int)aligned);
--
2.43.0
