| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <834e83a227f40c4654b97f2f0b045b4cbd326f16.camel@perches.com>
Date: Thu, 04 Nov 2021 09:04:01 -0700
From: Joe Perches <joe@...ches.com>
To: George Kennedy <george.kennedy@...cle.com>,
gregkh@...uxfoundation.org, jejb@...ux.ibm.com,
martin.petersen@...cle.com
Cc: linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
dan.carpenter@...cle.com
Subject: Re: [PATCH] scsi: scsi_debug: fix return checks for kcalloc
On Wed, 2021-11-03 at 14:01 -0500, George Kennedy wrote:
> Change return checks from kcalloc() to now check for NULL and
> ZERO_SIZE_PTR using the ZERO_OR_NULL_PTR macro or the following
> crash can occur if ZERO_SIZE_PTR indicator is returned.
>
> BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline]
> BUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974
> Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789
[]
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
[]
> @@ -3909,7 +3909,7 @@ static int resp_comp_write(struct scsi_cmnd *scp,
> return ret;
> dnum = 2 * num;
> arr = kcalloc(lb_size, dnum, GFP_ATOMIC);
> - if (NULL == arr) {
> + if (ZERO_OR_NULL_PTR(arr)) {
> mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
> INSUFF_RES_ASCQ);
> return check_condition_result;
This one isn't necessary as num is already tested for non-0 above
this block.
> @@ -4265,7 +4265,7 @@ static int resp_verify(struct scsi_cmnd *scp, struct sdebug_dev_info *devip)
> return ret;
>
> arr = kcalloc(lb_size, vnum, GFP_ATOMIC);
> - if (!arr) {
> + if (ZERO_OR_NULL_PTR(arr)) {
> mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
> INSUFF_RES_ASCQ);
> return check_condition_result;
Here it's probably clearer code to test vnum == 0 before the kcalloc
and return check_condition_result;
> @@ -4334,7 +4334,7 @@ static int resp_report_zones(struct scsi_cmnd *scp,
> max_zones);
>
> arr = kcalloc(RZONES_DESC_HD, alloc_len, GFP_ATOMIC);
> - if (!arr) {
> + if (ZERO_OR_NULL_PTR(arr)) {
> mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
> INSUFF_RES_ASCQ);
> return check_condition_result;
And here test alloc_len == 0 before the kcalloc.
Powered by blists - more mailing lists