lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 18 Mar 2019 11:13:18 +0800
From:   "jianchao.wang" <jianchao.w.wang@...cle.com>
To:     jejb@...ux.ibm.com, martin.petersen@...cle.com
Cc:     "linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Junxiao Bi <junxiao.bi@...cle.com>, diego.gonzalez@...cle.com
Subject: Re: [BUG] scsi: ses: out of bound accessing in
 ses_enclosure_data_process

Would anyone please give some suggestions ?

It looks like there somethings wrong in the read-in data, 

	/* skip all the enclosure descriptors */
	for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
		types += type_ptr[2];
		type_ptr += type_ptr[3] + 4; ----> here
	}
Then the typr_ptr got out of bound of the buffer.


Thanks
Jianchao

On 3/14/19 11:19 AM, jianchao.wang wrote:
> Dear all
> 
> When our customer probe the lpfc devices, they encountered odd memory corruption issues,
> and we get 'out of bound' access warning at following position after open KASAN
> 
> ses_enclosure_data_process
> 
> for (i = 0; i < types; i++, type_ptr += 4) {
>   for (j = 0; j < type_ptr[1]; j++) {
>                    ^^^^^^^^^^^
>                    out of bound
> 
> With some debug log, I got following,
> 
> page1 ffff88042d1aad20 len 32 types 5 type_ptr ffff88042d1aad64
> 
> Would anyone please give some suggestions on this ?
> 
> Thanks
> Jianchao
> 

Powered by blists - more mailing lists