[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3b2542225e519a8cf8e329745b0ee2e2464787c7.camel@redhat.com>
Date: Mon, 18 Mar 2019 11:22:35 -0400
From: "Ewan D. Milne" <emilne@...hat.com>
To: "Martin K. Petersen" <martin.petersen@...cle.com>,
"jianchao.wang" <jianchao.w.wang@...cle.com>
Cc: jejb@...ux.ibm.com,
"linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Junxiao Bi <junxiao.bi@...cle.com>, diego.gonzalez@...cle.com
Subject: Re: [BUG] scsi: ses: out of bound accessing in
ses_enclosure_data_process
On Mon, 2019-03-18 at 01:01 -0400, Martin K. Petersen wrote:
> Jianchao,
>
> > When our customer probe the lpfc devices, they encountered odd memory
> > corruption issues, and we get 'out of bound' access warning at
> > following position after open KASAN
>
> Please provide the output of:
>
> # sg_ses -p 1 /dev/sgN
> # sg_ses -p 7 /dev/sgN
>
> for the enclosure device in question.
>
The ses driver is allocating kernel buffers based upon the size
reported by RECEIVE DIAGNOSTIC commands, and is iterating through
them based on sizes in the individual descriptors. It appears to
be vulnerable to incorrect data from the device causing out-of-bounds
memory access, because the for() test does not prevent the use of
the pointer in subsequent code, e.g.:
for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
types += type_ptr[2];
type_ptr += type_ptr[3] + 4;
}
ses_dev->page1_types = type_ptr;
ses_dev->page1_num_types = types;
Whether or not this is the current problem, it's wrong.
-Ewan
Powered by blists - more mailing lists