lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1bb8de35-16ba-6c7c-0ef6-67a7226a0a2d@oracle.com> Date: Sat, 28 Jan 2023 19:40:12 +0100 From: Vegard Nossum <vegard.nossum@...cle.com> To: Kees Cook <keescook@...omium.org>, Bart Van Assche <bvanassche@....org> Cc: Hannes Reinecke <hare@...e.de>, Himanshu Madhani <himanshu.madhani@...cle.com>, Adaptec OEM Raid Solutions <aacraid@...rosemi.com>, "James E.J. Bottomley" <jejb@...ux.ibm.com>, "Martin K. Petersen" <martin.petersen@...cle.com>, linux-scsi@...r.kernel.org, stable@...r.kernel.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH] scsi: aacraid: Allocate cmd_priv with scsicmd Just a couple of observations. On 1/28/23 01:04, Kees Cook wrote: > The aac_priv() helper assumes that the private cmd area immediately > follows struct scsi_cmnd. Allocate this space as part of scsicmd, > else there is a risk of heap overflow. Seen with GCC 13: > > ../drivers/scsi/aacraid/aachba.c: In function 'aac_probe_container': > ../drivers/scsi/aacraid/aachba.c:841:26: warning: array subscript 16 is outside array bounds of 'void[392]' [-Warray-bounds=] An object of size 392 would get allocated with size 512 (at least by SLUB, AFAICT), so the risk of something going terribly wrong is probably fairly small. Not that it shouldn't be fixed, of course... KASAN should have caught this too, right? Does this mean nobody's tried this driver with KASAN, or is this some kind of rare code path? (Just asking for my own understanding.) > int aac_probe_container(struct aac_dev *dev, int cid) > { > - struct scsi_cmnd *scsicmd = kzalloc(sizeof(*scsicmd), GFP_KERNEL); > - struct aac_cmd_priv *cmd_priv = aac_priv(scsicmd); > + struct aac_cmd_priv *cmd_priv; > + struct scsi_cmnd *scsicmd = kzalloc(sizeof(*scsicmd) + sizeof(*cmd_priv), GFP_KERNEL); > struct scsi_device *scsidev = kzalloc(sizeof(*scsidev), GFP_KERNEL); > int status; > > @@ -838,6 +838,7 @@ int aac_probe_container(struct aac_dev *dev, int cid) > while (scsicmd->device == scsidev) > schedule(); > kfree(scsidev); > + cmd_priv = aac_priv(scsicmd); > status = cmd_priv->status; > kfree(scsicmd); > return status; aac_priv() uses scsi_cmd_priv() which has the comment: /* * Return the driver private allocation behind the command. * Only works if cmd_size is set in the host template. */ This is set for this driver: static struct scsi_host_template aac_driver_template = { [...] .cmd_size = sizeof(struct aac_cmd_priv), I looked around to see if there was some kind of "allocate cmd" helper, but couldn't find it -- scsi_ioctl_reset() allocates one (together with struct request) and there are a few uses of ->cmd_size in drivers/scsi/scsi_lib.c but there doesn't seem to be a common code path for this. I guess you could use dev->host->hostt->cmd_size or something, but that doesn't seem worth it since this is driver specific and we already know what the correct value should be. FWIW: Reviewed-by: Vegard Nossum <vegard.nossum@...cle.com> Vegard
Powered by blists - more mailing lists