lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3f35b011-4aab-4c9e-4a0d-220d7babba5d@opensource.wdc.com>
Date:   Fri, 27 May 2022 16:15:24 +0900
From:   Damien Le Moal <damien.lemoal@...nsource.wdc.com>
To:     Dongliang Mu <mudongliangabcd@...il.com>, jejb@...ux.ibm.com,
        martin.petersen@...cle.com, linux-scsi@...r.kernel.org,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: Null Pointer Dereference in sd_zbc_release_disk

On 2022/05/27 14:51, Dongliang Mu wrote:
> Hi maintainers,
> 
> I found a NPD(Null Pointer Dereference) in sd_zbc_release_disk function.
> 
> There are two definitions of sd_zbc_release_disk:
> 
> #ifdef CONFIG_BLK_DEV_ZONED
> void sd_zbc_release_disk(struct scsi_disk *sdkp);
> #else /* CONFIG_BLK_DEV_ZONED */
> static inline void sd_zbc_release_disk(struct scsi_disk *sdkp) {}
> #endif
> 
> When CONFIG_BLK_DEV_ZONED=y, the function implementation is as follows:
> 
> void sd_zbc_release_disk(struct scsi_disk *sdkp)
> {
>     if (sd_is_zoned(sdkp))
>         sd_zbc_clear_zone_info(sdkp);
> }
> 
> static inline int sd_is_zoned(struct scsi_disk *sdkp)
> {
>     return sdkp->zoned == 1 || sdkp->device->type == TYPE_ZBC;
> }
> 
> In drivers/scsi/sd.c, sd_probe() allocates sdkp with kzalloc(). If
> errors occurred before the assignment "sdkp->device", after the
> allocation, it will triggers a NPD in sd_is_zoned.
> 
> I am not familiar with kernel configuration. Does anyone have a
> suggestion to fix this NPD?
> 
> I really appreciate any help you can provide.

Can you try this patch:

 From 875899a114bce34f9549857ce87ea309b366b1cb Mon Sep 17 00:00:00 2001
From: Damien Le Moal <damien.lemoal@...nsource.wdc.com>
Date: Fri, 27 May 2022 16:07:20 +0900
Subject: [PATCH] scsi: sd_zbc: Fix potential NULL pointer dereference

If sd_probe() sees an error before sdkp->device is initialized,
sd_zbc_release_disk() is called, which causes a NULL pointer dereference
when sd_is_zoned() is called. Avoid this by turning
sd_zbc_release_disk() into a nop if sdkp->device is NULL.

Reported-by: Dongliang Mu <mudongliangabcd@...il.com>
Signed-off-by: Damien Le Moal <damien.lemoal@...nsource.wdc.com>
---
  drivers/scsi/sd_zbc.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c
index 5b9fad70aa88..236a766c8de4 100644
--- a/drivers/scsi/sd_zbc.c
+++ b/drivers/scsi/sd_zbc.c
@@ -804,7 +804,7 @@ static void sd_zbc_clear_zone_info(struct scsi_disk 
*sdkp)

  void sd_zbc_release_disk(struct scsi_disk *sdkp)
  {
-	if (sd_is_zoned(sdkp))
+	if (sdkp->device && sd_is_zoned(sdkp))
  		sd_zbc_clear_zone_info(sdkp);
  }

-- 
2.36.1


-- 
Damien Le Moal
Western Digital Research

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ