lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 1 Jun 2023 07:23:52 +0000
From:   Maximilian Heyne <mheyne@...zon.de>
To:     "Martin K. Petersen" <martin.petersen@...cle.com>
CC:     Kashyap Desai <kashyap.desai@...adcom.com>,
        Sumit Saxena <sumit.saxena@...adcom.com>,
        Shivasharan S <shivasharan.srikanteshwara@...adcom.com>,
        "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        James Bottomley <JBottomley@...allels.com>,
        Adam Radford <aradford@...il.com>,
        Christoph Hellwig <hch@...radead.org>,
        <megaraidlinux.pdl@...adcom.com>, <linux-scsi@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] scsi: megaraid: Fix uninitialized mbox in mega_cmd_done

On Wed, May 31, 2023 at 06:38:12PM -0400, Martin K. Petersen wrote:
> Hi Maximilian!

Hi Martin,

thanks for your response.

> 
> > This is similar to commit 7a2ae008a53c ("scsi: megaraid: Fix
> > mega_cmd_done() CMDID_INT_CMDS").
> 
> That's supposed to be commit 75cb113cd43f, right?

Sorry, yes I meant this commit. I accidentally got the commit id form the 5.4
backport.

> 
> > When cmdid == CMDID_INT_CMDS and status != 0 then mbox is still NULL
> > but is dereferenced below.
> 
> Is this actually a valid scenario, though? The mbox is only dereferenced
> if there is status returned from an attached device. And I am guessing
> that a controller-internal command does not talk to any attached device.
> Thus status should always be 0 for CMDID_INT_CMDS. I don't have the
> megaraid firmware manual so this is pure guesswork on my part. But you
> would think we would have come across an invalid deref since the
> original 2014 commit made the offending change.
> 

This could indeed be the case. I only found this because it was reported by
static code analysis. However, by reading the code it's not obvious that this is
how it works. Should we therefore skip the whole status checking switch for
internal commands to make it more clear? For example, by a goto to the end of
the loop when the scb gets freed or just adding the scb free, list removal
and a continue?




Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ