| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 21 Nov 2021 20:36:13 -0500
From: Douglas Gilbert <dgilbert@...erlog.com>
To: George Kennedy <george.kennedy@...cle.com>,
gregkh@...uxfoundation.org, jejb@...ux.ibm.com,
martin.petersen@...cle.com
Cc: linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] scsi: scsi_debug: sanity check block descriptor length in
resp_mode_select
On 2021-11-18 2:03 p.m., George Kennedy wrote:
> In resp_mode_select() sanity check the block descriptor len to avoid UAF.
>
> BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
> Read of size 1 at addr ffff888026670f50 by task scsicmd/15032
>
> CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> Call Trace:
> <TASK>
> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107
> print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257
> kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443
> __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306
> resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
> schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483
> scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537
> scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521
> blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640
> __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325
> blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358
> __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762
> __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839
> blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891
> blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474
> blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63
> sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837
> sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775
> sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941
> sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166
> __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52
> do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50
> entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113
>
> Reported-by: syzkaller <syzkaller@...glegroups.com>
> Signed-off-by: George Kennedy <george.kennedy@...cle.com>
So this patch makes sure we don't read outside the parameter data (at least
for the 0th byte of the mode page) so that is an improvement. It could be
stronger if it took into account the size of the mode page which is copied
inside the following switch.
But I can't see how that leads to use after free from KASAN. Hmm, I suppose
any out-of-bounds read could be reported as a use after free. It would be
useful if KASAN differentiated the two cases.
Anyway, the patch can't hurt.
Acked-by: Douglas Gilbert <dgilbert@...erlog.com>
> ---
> drivers/scsi/scsi_debug.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> index 1d0278d..51e3b57 100644
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -2499,11 +2499,11 @@ static int resp_mode_select(struct scsi_cmnd *scp,
> __func__, param_len, res);
> md_len = mselect6 ? (arr[0] + 1) : (get_unaligned_be16(arr + 0) + 2);
> bd_len = mselect6 ? arr[3] : get_unaligned_be16(arr + 6);
> - if (md_len > 2) {
> + off = bd_len + (mselect6 ? 4 : 8);
> + if (md_len > 2 || off >= res) {
> mk_sense_invalid_fld(scp, SDEB_IN_DATA, 0, -1);
> return check_condition_result;
> }
> - off = bd_len + (mselect6 ? 4 : 8);
> mpage = arr[off] & 0x3f;
> ps = !!(arr[off] & 0x80);
> if (ps) {
>
Powered by blists - more mailing lists