| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 10 Jan 2021 20:44:43 -0800
From: Jaegeuk Kim <jaegeuk@...nel.org>
To: linux-kernel@...r.kernel.org, linux-scsi@...r.kernel.org,
kernel-team@...roid.com
Cc: cang@...eaurora.org, alim.akhtar@...sung.com, avri.altman@....com,
bvanassche@....org, martin.petersen@...cle.com,
stanley.chu@...iatek.com, Jaegeuk Kim <jaegeuk@...gle.com>,
Jaegeuk Kim <jaegeuk@...nel.org>
Subject: [PATCH] scsi: ufs: should not override buffer lengh
From: Jaegeuk Kim <jaegeuk@...gle.com>
Kernel stack violation when getting unit_descriptor/wb_buf_alloc_units from
rpmb lun. The reason is the unit descriptor length is different per LU.
The lengh of Normal LU is 45, while the one of rpmb LU is 35.
int ufshcd_read_desc_param(struct ufs_hba *hba, ...)
{
param_offset=41;
param_size=4;
buff_len=45;
...
buff_len=35 by rpmb LU;
if (is_kmalloc) {
/* Make sure we don't copy more data than available */
if (param_offset + param_size > buff_len)
param_size = buff_len - param_offset;
--> param_size = 250;
memcpy(param_read_buf, &desc_buf[param_offset], param_size);
--> memcpy(param_read_buf, desc_buf+41, 250);
[ 141.868974][ T9174] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: wb_buf_alloc_units_show+0x11c/0x11c
}
}
Signed-off-by: Jaegeuk Kim <jaegeuk@...nel.org>
---
drivers/scsi/ufs/ufshcd.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 2a715f13fe1d..722697b57777 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -3293,8 +3293,12 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
if (is_kmalloc) {
/* Make sure we don't copy more data than available */
- if (param_offset + param_size > buff_len)
- param_size = buff_len - param_offset;
+ if (param_offset + param_size > buff_len) {
+ if (buff_len > param_offset)
+ param_size = buff_len - param_offset;
+ else
+ param_size = 0;
+ }
memcpy(param_read_buf, &desc_buf[param_offset], param_size);
}
out:
--
2.30.0.284.gd98b1dd5eaa7-goog
Powered by blists - more mailing lists