lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20210310105042.31660-1-dinghao.liu@zju.edu.cn>
Date:   Wed, 10 Mar 2021 18:50:42 +0800
From:   Dinghao Liu <dinghao.liu@....edu.cn>
To:     dinghao.liu@....edu.cn, kjlu@....edu
Cc:     Hannes Reinecke <hare@...e.com>,
        "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] scsi: aic7xxx: aic79xx: Add missing check in ahc_handle_seqint

ahc_lookup_scb() may return a null pointer and further lead to
null-pointer-dereference in case DATA_OVERRUN. Fix this by adding
a null check.

Signed-off-by: Dinghao Liu <dinghao.liu@....edu.cn>
---
 drivers/scsi/aic7xxx/aic7xxx_core.c | 72 +++++++++++++++--------------
 1 file changed, 37 insertions(+), 35 deletions(-)

diff --git a/drivers/scsi/aic7xxx/aic7xxx_core.c b/drivers/scsi/aic7xxx/aic7xxx_core.c
index 4b04ab8908f8..3a1cd6a0334e 100644
--- a/drivers/scsi/aic7xxx/aic7xxx_core.c
+++ b/drivers/scsi/aic7xxx/aic7xxx_core.c
@@ -1382,43 +1382,45 @@ ahc_handle_seqint(struct ahc_softc *ahc, u_int intstat)
 		u_int i;
 
 		scb = ahc_lookup_scb(ahc, scbindex);
-		for (i = 0; i < num_phases; i++) {
-			if (lastphase == ahc_phase_table[i].phase)
-				break;
-		}
-		ahc_print_path(ahc, scb);
-		printk("data overrun detected %s."
-		       "  Tag == 0x%x.\n",
-		       ahc_phase_table[i].phasemsg,
-		       scb->hscb->tag);
-		ahc_print_path(ahc, scb);
-		printk("%s seen Data Phase.  Length = %ld.  NumSGs = %d.\n",
-		       ahc_inb(ahc, SEQ_FLAGS) & DPHASE ? "Have" : "Haven't",
-		       ahc_get_transfer_length(scb), scb->sg_count);
-		if (scb->sg_count > 0) {
-			for (i = 0; i < scb->sg_count; i++) {
-
-				printk("sg[%d] - Addr 0x%x%x : Length %d\n",
-				       i,
-				       (ahc_le32toh(scb->sg_list[i].len) >> 24
-					& SG_HIGH_ADDR_BITS),
-				       ahc_le32toh(scb->sg_list[i].addr),
-				       ahc_le32toh(scb->sg_list[i].len)
-				       & AHC_SG_LEN_MASK);
+		if (scb != NULL) {
+			for (i = 0; i < num_phases; i++) {
+				if (lastphase == ahc_phase_table[i].phase)
+					break;
 			}
+			ahc_print_path(ahc, scb);
+			printk("data overrun detected %s."
+				"  Tag == 0x%x.\n",
+				ahc_phase_table[i].phasemsg,
+				scb->hscb->tag);
+			ahc_print_path(ahc, scb);
+			printk("%s seen Data Phase.  Length = %ld.  NumSGs = %d.\n",
+				ahc_inb(ahc, SEQ_FLAGS) & DPHASE ? "Have" : "Haven't",
+				ahc_get_transfer_length(scb), scb->sg_count);
+			if (scb->sg_count > 0) {
+				for (i = 0; i < scb->sg_count; i++) {
+
+					printk("sg[%d] - Addr 0x%x%x : Length %d\n",
+						i,
+						(ahc_le32toh(scb->sg_list[i].len) >> 24
+						& SG_HIGH_ADDR_BITS),
+						ahc_le32toh(scb->sg_list[i].addr),
+						ahc_le32toh(scb->sg_list[i].len)
+						& AHC_SG_LEN_MASK);
+				}
+			}
+			/*
+			* Set this and it will take effect when the
+			* target does a command complete.
+			*/
+			ahc_freeze_devq(ahc, scb);
+			if ((scb->flags & SCB_SENSE) == 0) {
+				ahc_set_transaction_status(scb, CAM_DATA_RUN_ERR);
+			} else {
+				scb->flags &= ~SCB_SENSE;
+				ahc_set_transaction_status(scb, CAM_AUTOSENSE_FAIL);
+			}
+			ahc_freeze_scb(scb);
 		}
-		/*
-		 * Set this and it will take effect when the
-		 * target does a command complete.
-		 */
-		ahc_freeze_devq(ahc, scb);
-		if ((scb->flags & SCB_SENSE) == 0) {
-			ahc_set_transaction_status(scb, CAM_DATA_RUN_ERR);
-		} else {
-			scb->flags &= ~SCB_SENSE;
-			ahc_set_transaction_status(scb, CAM_AUTOSENSE_FAIL);
-		}
-		ahc_freeze_scb(scb);
 
 		if ((ahc->features & AHC_ULTRA2) != 0) {
 			/*
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ