lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 16 Mar 2017 13:21:01 +0800
From:   Kefeng Wang <wangkefeng.wang@...wei.com>
To:     "Martin K. Petersen" <martin.petersen@...cle.com>
CC:     Jens Axboe <axboe@...nel.dk>,
        "James E.J. Bottomley" <jejb@...ux.vnet.ibm.com>,
        <linux-scsi@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] scsi: sr: fix oob access in get_capabilities



On 2017/3/16 8:07, Martin K. Petersen wrote:
> Kefeng Wang <wangkefeng.wang@...wei.com> writes:
> 
> Kefeng,
> 
>> 'n = header_length + block_descriptor_length' could be greater than 512,
>> and will lead to oob access, so enlarge transfer buffer to fix it.
> 
> Can you share the output of sg_modes -p 0x2a /dev/srN for the offending
> drive?


root@...alhost ~]# sg_modes -p 0x2a /dev/sr0
    QEMU      QEMU DVD-ROM      0.15   peripheral_type: cd/dvd [0x5]
Mode parameter header from MODE SENSE(10):
Invalid block descriptor length=512, ignore
  Mode data length=36, medium type=0x70, specific param=0x00, longlba=0
  Block descriptor length=0
>> MM capabilities and mechanical status (obsolete), page_control: current
 00     2a 12 00 00 71 60 29 00  02 c2 00 02 02 00 02 c2
 10     00 00 00 00
Unexpectedly received extra mode page responses, ignore

note: the issue was found in guestos?  maybe some bugs exist in qemu?

Kefeng

> 
> This mode page is usually much smaller than 512 bytes (typically between
> 32 and 128 bytes).
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ