| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210708075141.103282-1-xlpang@linux.alibaba.com>
Date: Thu, 8 Jul 2021 15:51:41 +0800
From: Xunlei Pang <xlpang@...ux.alibaba.com>
To: "James E . J . Bottomley" <jejb@...ux.ibm.com>,
"Martin K . Petersen" <martin.petersen@...cle.com>,
Hannes Reinecke <hare@...e.com>,
Qingming Su <qingming.su@...ux.alibaba.com>
Cc: linux-kernel@...r.kernel.org, linux-scsi@...r.kernel.org
Subject: [PATCH] scsi: ses: Fix out-of-bound memory write
Our memory debug tool captured the following exception:
BUG: memory corruption in ses_enclosure_data_process+0x24b/0x310 [ses]
ses_enclosure_data_process+0x24b/0x310 [ses]
ses_intf_add+0x444/0x542 [ses]
class_interface_register+0x110/0x120
ses_init+0x13/0x1000 [ses]
do_one_initcall+0x41/0x1c0
do_init_module+0x5c/0x260
__do_sys_finit_module+0xb1/0x110
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The root cause is "desc_ptr[len] = '\0'" makes out-of-bound
memory write beyond "buf", so make it within the buffer size.
Reported-by: Qingming Su <qingming.su@...ux.alibaba.com>
Signed-off-by: Xunlei Pang <xlpang@...ux.alibaba.com>
---
drivers/scsi/ses.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index c2afba2a5414..c1ac2e96d25d 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -544,11 +544,14 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
char *name = NULL;
struct enclosure_component *ecomp;
+ if (desc_ptr + 4 >= buf + page7_len)
+ desc_ptr = NULL;
+
if (desc_ptr) {
- if (desc_ptr >= buf + page7_len) {
+ len = (desc_ptr[2] << 8) + desc_ptr[3];
+ if (desc_ptr + 4 + len >= buf + page7_len) {
desc_ptr = NULL;
} else {
- len = (desc_ptr[2] << 8) + desc_ptr[3];
desc_ptr += 4;
/* Add trailing zero - pushes into
* reserved space */
--
2.20.1.7.g153144c
Powered by blists - more mailing lists