lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20231130142835.18041-2-dinghui@sangfor.com.cn>
Date:   Thu, 30 Nov 2023 22:28:34 +0800
From:   Ding Hui <dinghui@...gfor.com.cn>
To:     jejb@...ux.ibm.com, martin.petersen@...cle.com
Cc:     zhuwei@...gfor.com.cn, thenzl@...hat.com,
        linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
        Ding Hui <dinghui@...gfor.com.cn>
Subject: [PATCH 1/2] scsi: ses: Fix slab-out-of-bounds in ses_get_power_status()

From: Zhu Wei <zhuwei@...gfor.com.cn>

A fix for:

BUG: KASAN: slab-out-of-bounds in ses_get_power_status+0x178/0x1a8 [ses]
Read of size 1 at addr ffffa5e3f9466a2b by task grep/102588
Call trace:
 ses_get_power_status+0x178/0x1a8 [ses]
 get_component_power_status+0x94/0x1f0 [enclosure]
 dev_attr_show+0x5c/0xc8
 sysfs_kf_seq_show+0x1b0/0x350
 kernfs_seq_show+0x10c/0x160
 seq_read+0x250/0xe28

If the page2 buffer is less than the number of elements indicated by page1,
that will cause desc_ptr to point to out-of-bounds.

The report occurs when we read sg power_status which iscsi target is a Dell
PowerVault MD3200i storage server.

Signed-off-by: Zhu Wei <zhuwei@...gfor.com.cn>
Signed-off-by: Ding Hui <dinghui@...gfor.com.cn>
---
 drivers/scsi/ses.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index d7d0c35c58b8..2a404e51b6db 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -165,6 +165,8 @@ static int ses_set_page2_descriptor(struct enclosure_device *edev,
 	for (i = 0; i < ses_dev->page1_num_types; i++, type_ptr += 4) {
 		for (j = 0; j < type_ptr[1]; j++) {
 			desc_ptr += 4;
+			if (desc_ptr - ses_dev->page2 + 4 > ses_dev->page2_len)
+				break;
 			if (type_ptr[0] != ENCLOSURE_COMPONENT_DEVICE &&
 			    type_ptr[0] != ENCLOSURE_COMPONENT_ARRAY_DEVICE)
 				continue;
@@ -196,6 +198,8 @@ static unsigned char *ses_get_page2_descriptor(struct enclosure_device *edev,
 	for (i = 0; i < ses_dev->page1_num_types; i++, type_ptr += 4) {
 		for (j = 0; j < type_ptr[1]; j++) {
 			desc_ptr += 4;
+			if (desc_ptr - ses_dev->page2 + 4 > ses_dev->page2_len)
+				return NULL;
 			if (type_ptr[0] != ENCLOSURE_COMPONENT_DEVICE &&
 			    type_ptr[0] != ENCLOSURE_COMPONENT_ARRAY_DEVICE)
 				continue;
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ