| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <595a03f6-e93a-4f2c-bf0a-01e428897c15@kernel.org>
Date: Fri, 29 Mar 2024 08:00:00 +0900
From: Damien Le Moal <dlemoal@...nel.org>
To: Mikhail Ukhin <mish.uxin2012@...dex.ru>, Jens Axboe <axboe@...nel.dk>
Cc: linux-ide@...r.kernel.org, linux-kernel@...r.kernel.org,
Niklas Cassel <cassel@...nel.org>, Pavel Koshutin
<koshutin.pavel@...dex.ru>, Artem Sadovnikov <ancowi69@...il.com>,
Mikhail Ivanov <iwanov-23@...ru>
Subject: Re: [PATCH 5.10/5.15] ata: libata-scsi: check cdb length for
VARIABLE_LENGTH_CMD commands
On 3/29/24 00:00, Mikhail Ukhin wrote:
> Fuzzing of 5.10 stable branch reports a slab-out-of-bounds error in
> ata_scsi_pass_thru.
>
> The error is fixed in 5.18 by commit ce70fd9a551a ("scsi: core: Remove the
> cmd field from struct scsi_request").
> Backporting this commit would require significant changes to the code so
> it is bettter to use a simple fix for that particular error.
>
> The problem is that the length of the received SCSI command is not
> validated if scsi_op == VARIABLE_LENGTH_CMD. It can lead to out-of-bounds
> reading if the user sends a request with SCSI command of length less than
> 32.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Signed-off-by: Artem Sadovnikov <ancowi69@...il.com>
> Signed-off-by: Mikhail Ivanov <iwanov-23@...ru>
This looks OK to me, but:
1) Please stop using the wrong email address for me. Use
scripts/get_maintainer.pl to see the correct email address (the one I am using
now). And maintainers & main list should not be on cc but part of the "to:"
addressing.
2) Please read Documentation/process/stable-kernel-rules.rst and see Option 3. I
cannot take this patch. It needs to go through the stable tree after I Ack it.
> ---
> drivers/ata/libata-scsi.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
> index dfa090ccd21c..77589e911d3d 100644
> --- a/drivers/ata/libata-scsi.c
> +++ b/drivers/ata/libata-scsi.c
> @@ -4065,6 +4065,9 @@ int __ata_scsi_queuecmd(struct scsi_cmnd *scmd, struct ata_device *dev)
>
> if (unlikely(!scmd->cmd_len))
> goto bad_cdb_len;
> +
> + if (scsi_op == VARIABLE_LENGTH_CMD && scmd->cmd_len < 32)
> + goto bad_cdb_len;
>
> if (dev->class == ATA_DEV_ATA || dev->class == ATA_DEV_ZAC) {
> if (unlikely(scmd->cmd_len > dev->cdb_len))
--
Damien Le Moal
Western Digital Research
Powered by blists - more mailing lists