| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 May 2019 07:52:18 -0700
From: James Bottomley <jejb@...ux.ibm.com>
To: Waiman Long <longman@...hat.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>
Cc: linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] scsi: ses: Fix out-of-bounds memory access in
ses_enclosure_data_process()
On Mon, 2019-05-20 at 10:41 -0400, Waiman Long wrote:
[...]
> > --- a/drivers/scsi/ses.c
> > +++ b/drivers/scsi/ses.c
> > @@ -605,9 +605,14 @@ static void ses_enclosure_data_process(struct
> > enclosure_device *edev,
> > /* these elements are optional */
> > type_ptr[0] ==
> > ENCLOSURE_COMPONENT_SCSI_TARGET_PORT ||
> > type_ptr[0] ==
> > ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT ||
> > - type_ptr[0] ==
> > ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS))
> > + type_ptr[0] ==
> > ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) {
> > addl_desc_ptr += addl_desc_ptr[1]
> > + 2;
> >
> > + /* Ensure no out-of-bounds memory
> > access */
> > + if (addl_desc_ptr >= ses_dev-
> > >page10 +
> > + ses_dev-
> > >page10_len)
> > + addl_desc_ptr = NULL;
> > + }
> > }
> > }
> > kfree(buf);
>
> Ping! Any comment on this patch.
The update looks fine to me:
Reviewed-by: James E.J. Bottomley <jejb@...ux.ibm.com>
It might also be interesting to find out how the proliant is
structuring this descriptor array to precipitate the out of bounds: Is
it just an off by one or something more serious?
James
Powered by blists - more mailing lists