CVE-2023-53847

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb-storage: alauda: Fix uninit-value in alauda_check_media()<br /> <br /> Syzbot got KMSAN to complain about access to an uninitialized value in<br /> the alauda subdriver of usb-storage:<br /> <br /> BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0<br /> drivers/usb/storage/alauda.c:1137<br /> CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS<br /> Google 01/01/2011<br /> Call Trace:<br /> __dump_stack lib/dump_stack.c:77 [inline]<br /> dump_stack+0x191/0x1f0 lib/dump_stack.c:113<br /> kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108<br /> __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250<br /> alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460<br /> <br /> The problem is that alauda_check_media() doesn&amp;#39;t verify that its USB<br /> transfer succeeded before trying to use the received data. What<br /> should happen if the transfer fails isn&amp;#39;t entirely clear, but a<br /> reasonably conservative approach is to pretend that no media is<br /> present.<br /> <br /> A similar problem exists in a usb_stor_dbg() call in<br /> alauda_get_media_status(). In this case, when an error occurs the<br /> call is redundant, because usb_stor_ctrl_transfer() already will print<br /> a debugging message.<br /> <br /> Finally, unrelated to the uninitialized memory access, is the fact<br /> that alauda_check_media() performs DMA to a buffer on the stack.<br /> Fortunately usb-storage provides a general purpose DMA-able buffer for<br /> uses like this. We&amp;#39;ll use it instead.