lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1bb8de35-16ba-6c7c-0ef6-67a7226a0a2d@oracle.com>
Date:   Sat, 28 Jan 2023 19:40:12 +0100
From:   Vegard Nossum <vegard.nossum@...cle.com>
To:     Kees Cook <keescook@...omium.org>,
        Bart Van Assche <bvanassche@....org>
Cc:     Hannes Reinecke <hare@...e.de>,
        Himanshu Madhani <himanshu.madhani@...cle.com>,
        Adaptec OEM Raid Solutions <aacraid@...rosemi.com>,
        "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        linux-scsi@...r.kernel.org, stable@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] scsi: aacraid: Allocate cmd_priv with scsicmd

Just a couple of observations.

On 1/28/23 01:04, Kees Cook wrote:
> The aac_priv() helper assumes that the private cmd area immediately
> follows struct scsi_cmnd. Allocate this space as part of scsicmd,
> else there is a risk of heap overflow. Seen with GCC 13:
> 
> ../drivers/scsi/aacraid/aachba.c: In function 'aac_probe_container':
> ../drivers/scsi/aacraid/aachba.c:841:26: warning: array subscript 16 is outside array bounds of 'void[392]' [-Warray-bounds=]

An object of size 392 would get allocated with size 512 (at least by
SLUB, AFAICT), so the risk of something going terribly wrong is probably
fairly small. Not that it shouldn't be fixed, of course...

KASAN should have caught this too, right? Does this mean nobody's tried
this driver with KASAN, or is this some kind of rare code path? (Just
asking for my own understanding.)

>   int aac_probe_container(struct aac_dev *dev, int cid)
>   {
> -	struct scsi_cmnd *scsicmd = kzalloc(sizeof(*scsicmd), GFP_KERNEL);
> -	struct aac_cmd_priv *cmd_priv = aac_priv(scsicmd);
> +	struct aac_cmd_priv *cmd_priv;
> +	struct scsi_cmnd *scsicmd = kzalloc(sizeof(*scsicmd) + sizeof(*cmd_priv), GFP_KERNEL);
>   	struct scsi_device *scsidev = kzalloc(sizeof(*scsidev), GFP_KERNEL);
>   	int status;
>   
> @@ -838,6 +838,7 @@ int aac_probe_container(struct aac_dev *dev, int cid)
>   		while (scsicmd->device == scsidev)
>   			schedule();
>   	kfree(scsidev);
> +	cmd_priv = aac_priv(scsicmd);
>   	status = cmd_priv->status;
>   	kfree(scsicmd);
>   	return status;

aac_priv() uses scsi_cmd_priv() which has the comment:

/*
  * Return the driver private allocation behind the command.
  * Only works if cmd_size is set in the host template.
  */

This is set for this driver:

static struct scsi_host_template aac_driver_template = {
[...]
    .cmd_size                       = sizeof(struct aac_cmd_priv),

I looked around to see if there was some kind of "allocate cmd" helper,
but couldn't find it -- scsi_ioctl_reset() allocates one (together with
struct request) and there are a few uses of ->cmd_size in
drivers/scsi/scsi_lib.c but there doesn't seem to be a common code path
for this.

I guess you could use dev->host->hostt->cmd_size or something, but that
doesn't seem worth it since this is driver specific and we already know
what the correct value should be.

FWIW:

Reviewed-by: Vegard Nossum <vegard.nossum@...cle.com>


Vegard

Powered by blists - more mailing lists