| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Nov 2021 13:22:34 -0400
From: George Kennedy <george.kennedy@...cle.com>
To: Joe Perches <joe@...ches.com>, gregkh@...uxfoundation.org,
jejb@...ux.ibm.com, martin.petersen@...cle.com
Cc: linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
dan.carpenter@...cle.com
Subject: Re: [PATCH] scsi: scsi_debug: fix return checks for kcalloc
Thanks Joe,
On 11/4/2021 12:04 PM, Joe Perches wrote:
> On Wed, 2021-11-03 at 14:01 -0500, George Kennedy wrote:
>> Change return checks from kcalloc() to now check for NULL and
>> ZERO_SIZE_PTR using the ZERO_OR_NULL_PTR macro or the following
>> crash can occur if ZERO_SIZE_PTR indicator is returned.
>>
>> BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline]
>> BUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974
>> Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789
> []
>> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> []
>> @@ -3909,7 +3909,7 @@ static int resp_comp_write(struct scsi_cmnd *scp,
>> return ret;
>> dnum = 2 * num;
>> arr = kcalloc(lb_size, dnum, GFP_ATOMIC);
>> - if (NULL == arr) {
>> + if (ZERO_OR_NULL_PTR(arr)) {
>> mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
>> INSUFF_RES_ASCQ);
>> return check_condition_result;
> This one isn't necessary as num is already tested for non-0 above
> this block.
The check for "num" preceding the above does this:
if (0 == num)
return 0; /* degenerate case, not an error */
Shouldn't I use that same size check and "return 0" if size == zero in
the other cases?
>
>> @@ -4265,7 +4265,7 @@ static int resp_verify(struct scsi_cmnd *scp, struct sdebug_dev_info *devip)
>> return ret;
>>
>> arr = kcalloc(lb_size, vnum, GFP_ATOMIC);
>> - if (!arr) {
>> + if (ZERO_OR_NULL_PTR(arr)) {
>> mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
>> INSUFF_RES_ASCQ);
>> return check_condition_result;
> Here it's probably clearer code to test vnum == 0 before the kcalloc
> and return check_condition_result;
>
>> @@ -4334,7 +4334,7 @@ static int resp_report_zones(struct scsi_cmnd *scp,
>> max_zones);
>>
>> arr = kcalloc(RZONES_DESC_HD, alloc_len, GFP_ATOMIC);
>> - if (!arr) {
>> + if (ZERO_OR_NULL_PTR(arr)) {
>> mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
>> INSUFF_RES_ASCQ);
>> return check_condition_result;
> And here test alloc_len == 0 before the kcalloc.
Using your suggested fix (with return 0 instead of return
check_condition_result) the patch would look like this:
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 40b473e..93913d2 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -4258,6 +4258,8 @@ static int resp_verify(struct scsi_cmnd *scp,
struct sdebug_dev_info *devip)
mk_sense_invalid_opcode(scp);
return check_condition_result;
}
+ if (0 == vnum)
+ return 0; /* degenerate case, not an error */
a_num = is_bytchk3 ? 1 : vnum;
/* Treat following check like one for read (i.e. no write)
access */
ret = check_device_access_params(scp, lba, a_num, false);
@@ -4321,6 +4323,8 @@ static int resp_report_zones(struct scsi_cmnd *scp,
}
zs_lba = get_unaligned_be64(cmd + 2);
alloc_len = get_unaligned_be32(cmd + 10);
+ if (0 == alloc_len)
+ return 0; /* degenerate case, not an error */
rep_opts = cmd[14] & 0x3f;
partial = cmd[14] & 0x80;
Does the above look ok?
George
>
>
Powered by blists - more mailing lists