lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200802152145.4387-1-baijiaju@tsinghua.edu.cn>
Date:   Sun,  2 Aug 2020 23:21:45 +0800
From:   Jia-Ju Bai <baijiaju@...nghua.edu.cn>
To:     linuxdrivers@...otech.com, jejb@...ux.ibm.com,
        martin.petersen@...cle.com
Cc:     linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
        Jia-Ju Bai <baijiaju@...nghua.edu.cn>
Subject: [PATCH] scsi: esas2r: fix possible buffer overflow caused by bad DMA value in esas2r_process_fs_ioctl()

In esas2r_read_fs():
  struct esas2r_ioctl_fs *fs = 
         (struct esas2r_ioctl_fs *)a->fs_api_buffer;

Because "a->fs_api_buffer" is mapped to coherent DMA (allocated in
esas2r_write_fs()), "fs" is also mapped to DMA.

Then esas2r_read_fs() calls esas2r_process_fs_ioctl() with "fs".

In esas2r_process_fs_ioctl():
  fsc = &fs->command;
  ...
  if (fsc->command >= cmdcnt) {
    fs->status = ATTO_STS_INV_FUNC;
    return false;
  }
  func = cmd_to_fls_func[fsc->command];
  if (func == 0xFF) {
    fs->status = ATTO_STS_INV_FUNC;
    return false;
  }

Because "fs" is mapped to DMA, its data can be modified at anytime by
malicious or malfunctioning hardware. In this case, the check 
"if (fsc->command >= cmdcnt)" can be passed, and then "fsc->command" 
can be modified by hardware to cause buffer overflow.

To fix this problem, "fsc->command" is assigned to a local variable, and
then this local variable is used to replace "fsc->command".

Signed-off-by: Jia-Ju Bai <baijiaju@...nghua.edu.cn>
---
 drivers/scsi/esas2r/esas2r_flash.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/esas2r/esas2r_flash.c b/drivers/scsi/esas2r/esas2r_flash.c
index b02ac389e6c6..ca5ff0d4c7d0 100644
--- a/drivers/scsi/esas2r/esas2r_flash.c
+++ b/drivers/scsi/esas2r/esas2r_flash.c
@@ -851,6 +851,7 @@ bool esas2r_process_fs_ioctl(struct esas2r_adapter *a,
 	struct esas2r_ioctlfs_command *fsc = &fs->command;
 	u8 func = 0;
 	u32 datalen;
+	u8 command = fsc->command;
 
 	fs->status = ATTO_STS_FAILED;
 	fs->driver_error = RS_PENDING;
@@ -860,18 +861,18 @@ bool esas2r_process_fs_ioctl(struct esas2r_adapter *a,
 		return false;
 	}
 
-	if (fsc->command >= cmdcnt) {
+	if (command >= cmdcnt) {
 		fs->status = ATTO_STS_INV_FUNC;
 		return false;
 	}
 
-	func = cmd_to_fls_func[fsc->command];
+	func = cmd_to_fls_func[command];
 	if (func == 0xFF) {
 		fs->status = ATTO_STS_INV_FUNC;
 		return false;
 	}
 
-	if (fsc->command != ESAS2R_FS_CMD_CANCEL) {
+	if (command != ESAS2R_FS_CMD_CANCEL) {
 		if ((a->pcid->device != ATTO_DID_MV_88RC9580
 		     || fs->adap_type != ESAS2R_FS_AT_ESASRAID2)
 		    && (a->pcid->device != ATTO_DID_MV_88RC9580TS
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ