lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3b2542225e519a8cf8e329745b0ee2e2464787c7.camel@redhat.com>
Date:   Mon, 18 Mar 2019 11:22:35 -0400
From:   "Ewan D. Milne" <emilne@...hat.com>
To:     "Martin K. Petersen" <martin.petersen@...cle.com>,
        "jianchao.wang" <jianchao.w.wang@...cle.com>
Cc:     jejb@...ux.ibm.com,
        "linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Junxiao Bi <junxiao.bi@...cle.com>, diego.gonzalez@...cle.com
Subject: Re: [BUG] scsi: ses: out of bound accessing in
 ses_enclosure_data_process

On Mon, 2019-03-18 at 01:01 -0400, Martin K. Petersen wrote:
> Jianchao,
> 
> > When our customer probe the lpfc devices, they encountered odd memory
> > corruption issues, and we get 'out of bound' access warning at
> > following position after open KASAN
> 
> Please provide the output of:
> 
> # sg_ses -p 1 /dev/sgN
> # sg_ses -p 7 /dev/sgN
> 
> for the enclosure device in question.
> 

The ses driver is allocating kernel buffers based upon the size
reported by RECEIVE DIAGNOSTIC commands, and is iterating through
them based on sizes in the individual descriptors.  It appears to
be vulnerable to incorrect data from the device causing out-of-bounds
memory access, because the for() test does not prevent the use of
the pointer in subsequent code, e.g.:

        for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
                types += type_ptr[2];
                type_ptr += type_ptr[3] + 4;
        }

        ses_dev->page1_types = type_ptr;
        ses_dev->page1_num_types = types;

Whether or not this is the current problem, it's wrong.

-Ewan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ