Patch "usb: idmouse: fix an uninit-value in idmouse_open" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 16 Oct 2022 23:27:45 -0400

This is a note to let you know that I've just added the patch titled

    usb: idmouse: fix an uninit-value in idmouse_open

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 888c47eb90b41b3a4504f0d69d0ff40e35ca5755
Author: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
Date:   Thu Sep 22 21:48:44 2022 +0800

    usb: idmouse: fix an uninit-value in idmouse_open
    
    [ Upstream commit bce2b0539933e485d22d6f6f076c0fcd6f185c4c ]
    
    In idmouse_create_image, if any ftip_command fails, it will
    go to the reset label. However, this leads to the data in
    bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check
    for valid image incurs an uninitialized dereference.
    
    Fix this by moving the check before reset label since this
    check only be valid if the data after bulk_in_buffer[HEADER]
    has concrete data.
    
    Note that this is found by KMSAN, so only kernel compilation
    is tested.
    
    Reported-by: syzbot+79832d33eb89fb3cd092@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20220922134847.1101921-1-dzm91@xxxxxxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c
index e9437a176518..ea39243efee3 100644
--- a/drivers/usb/misc/idmouse.c
+++ b/drivers/usb/misc/idmouse.c
@@ -177,10 +177,6 @@ static int idmouse_create_image(struct usb_idmouse *dev)
 		bytes_read += bulk_read;
 	}
 
-	/* reset the device */
-reset:
-	ftip_command(dev, FTIP_RELEASE, 0, 0);
-
 	/* check for valid image */
 	/* right border should be black (0x00) */
 	for (bytes_read = sizeof(HEADER)-1 + WIDTH-1; bytes_read < IMGSIZE; bytes_read += WIDTH)
@@ -192,6 +188,10 @@ static int idmouse_create_image(struct usb_idmouse *dev)
 		if (dev->bulk_in_buffer[bytes_read] != 0xFF)
 			return -EAGAIN;
 
+	/* reset the device */
+reset:
+	ftip_command(dev, FTIP_RELEASE, 0, 0);
+
 	/* should be IMGSIZE == 65040 */
 	dev_dbg(&dev->interface->dev, "read %d bytes fingerprint data\n",
 		bytes_read);






