| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Jul 2022 14:39:13 +0300
From: Valentina Goncharenko <goncharenko.vp@...ras.ru>
To: Anil Gurumurthy <anil.gurumurthy@...gic.com>
Cc: Valentina Goncharenko <goncharenko.vp@...ras.ru>,
Sudarsana Kalluru <sudarsana.kalluru@...gic.com>,
"James E.J. Bottomley" <jejb@...ux.ibm.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Krishna Gudipati <kgudipat@...cade.com>,
James Bottomley <JBottomley@...allels.com>,
linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
ldv-project@...uxtesting.org
Subject: [PATCH] scsi: bfa: Harden loop checks in bfad_iocmd_ioc_get_info()
Loop conditions 'i < BFA_STRING_32' in bfad_iocmd_ioc_get_info() do
not prevent buffer overflow while writing data to
'iocmd->adapter_hwpath[i]' after the loop because on incorrect data
'i' can be incremented anyway.
The patch hardens the loop conditions to avoid buffer overflow in case
of invalid data, while it does not affect the processing of valid
'adapter_hwpath'.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: e6826c96ced7 ("[SCSI] bfa: Add support to read/update the FRU data.")
Signed-off-by: Valentina Goncharenko <goncharenko.vp@...ras.ru>
---
drivers/scsi/bfa/bfad_bsg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/bfa/bfad_bsg.c b/drivers/scsi/bfa/bfad_bsg.c
index be8dfbe13e90..73ef29c83262 100644
--- a/drivers/scsi/bfa/bfad_bsg.c
+++ b/drivers/scsi/bfa/bfad_bsg.c
@@ -98,9 +98,9 @@ bfad_iocmd_ioc_get_info(struct bfad_s *bfad, void *cmd)
/* set adapter hw path */
strcpy(iocmd->adapter_hwpath, bfad->pci_name);
- for (i = 0; iocmd->adapter_hwpath[i] != ':' && i < BFA_STRING_32; i++)
+ for (i = 0; iocmd->adapter_hwpath[i] != ':' && i < BFA_STRING_32 - 2; i++)
;
- for (; iocmd->adapter_hwpath[++i] != ':' && i < BFA_STRING_32; )
+ for (; iocmd->adapter_hwpath[++i] != ':' && i < BFA_STRING_32 - 1; )
;
iocmd->adapter_hwpath[i] = '\0';
iocmd->status = BFA_STATUS_OK;
--
2.25.1
Powered by blists - more mailing lists