lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20210827092643.273357-1-starmiku1207184332@gmail.com>
Date:   Fri, 27 Aug 2021 17:26:43 +0800
From:   starmiku1207184332@...il.com
To:     njavali@...vell.com, mrangankar@...vell.com, jejb@...ux.ibm.com,
        martin.petersen@...cle.com
Cc:     GR-QLogic-Storage-Upstream@...vell.com, linux-scsi@...r.kernel.org,
        linux-kernel@...r.kernel.org, baijiaju1990@...il.com,
        Teng Qi <starmiku120718432@...il.com>,
        TOTE Robot <oslab@...nghua.edu.cn>
Subject: [PATCH] scsi: qla4xxx: Fix a buffer overflow in qla4xxx_free_ddb()

From: Teng Qi <starmiku120718432@...il.com>

Function qla4xxx_session_destroy(), function qla4xxx_get_fwddb_entry() and 
function qla4xxx_free_ddb() are corresponding this buffer overflow.
Function qla4xxx_session_destroy() firstly calls function 
qla4xxx_get_fwddb_entry(), and secondly calls function qla4xxx_free_ddb().

In functon qla4xxx_session_destroy(), the function qla4xxx_get_fwddb_entry() is
called with ddb_entry->fw_ddb_index being passed to formal parameter 
fw_ddb_index.
ret = qla4xxx_get_fwddb_entry(ha, ddb_entry->fw_ddb_index,
	      fw_ddb_entry, fw_ddb_entry_dma,
	      NULL, NULL, &ddb_state, NULL,
	      NULL, NULL);

In qla4xxx_get_fwddb_entry(), fw_ddb_index is checked in:
  if (fw_ddb_index >= MAX_DDB_ENTRIES)

This indicates fw_ddb_index could be greater than or equal to MAX_DDB_ENTRIES, 
and ddb_entry->fw_ddb_index could be also greater than or equal to
MAX_DDB_ENTRIES.
If so, the qla4xxx_get_fwddb_entry() will return QLA_ERROR.
After return, the program goes to the label destory_seession.
Then the function qla4xxx_free_ddb() is called with argument ddb_entry.
In qla4xxx_free_ddb(), ddb_entry->fw_ddb_index is used as index.
  ha->fw_ddb_index_map[ddb_entry->fw_ddb_index] =
		(struct ddb_entry *) INVALID_ENTRY;

However, the size of ha->fw_ddb_index_map is MAX_DDB_ENTRIES, which can cause
a buffer overflow.

To fix this possible buffer overflow, ddb_entry->fw_ddb_index should be
checked first.
If ddb_entry->fw_ddb_index is greater than or equal to MAX_DDB_ENTRIES, the
function qla4xxx_free_ddb() returns.

Reported-by: TOTE Robot <oslab@...nghua.edu.cn>
Signed-off-by: Teng Qi <starmiku120718432@...il.com>
---
 drivers/scsi/qla4xxx/ql4_init.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/qla4xxx/ql4_init.c b/drivers/scsi/qla4xxx/ql4_init.c
index f786ac2f5548..e5b2161e59ed 100644
--- a/drivers/scsi/qla4xxx/ql4_init.c
+++ b/drivers/scsi/qla4xxx/ql4_init.c
@@ -47,6 +47,8 @@ static void ql4xxx_set_mac_number(struct scsi_qla_host *ha)
 void qla4xxx_free_ddb(struct scsi_qla_host *ha,
     struct ddb_entry *ddb_entry)
 {
+	if (ddb_entry->fw_ddb_index >= MAX_DDB_ENTRIES)
+		return;
 	/* Remove device pointer from index mapping arrays */
 	ha->fw_ddb_index_map[ddb_entry->fw_ddb_index] =
 		(struct ddb_entry *) INVALID_ENTRY;
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ