lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2d5e3b6c-3a66-4f74-8367-51fa55bf0a1a@acm.org>
Date: Tue, 9 Apr 2024 09:59:18 -0700
From: Bart Van Assche <bvanassche@....org>
To: Sam Sun <samsun1006219@...il.com>, linux-kernel@...r.kernel.org
Cc: linux-scsi@...r.kernel.org, martin.petersen@...cle.com,
 jejb@...ux.ibm.com, dgilbert@...erlog.com, syzkaller@...glegroups.com,
 xrivendell7@...il.com
Subject: Re: [Bug] UBSAN: shift-out-of-bounds in sg_build_indirect

On 4/9/24 05:51, Sam Sun wrote:
> We further analyzed the root cause of this bug. In function
> sg_build_indirect of drivers/scsi/sg.c, variable order of line 1900 is
> calculated out using get_order(num), and num comes from
> scatter_elem_sz. If scatter_elem_sz is equal or below zero, the order
> returned will be 52, so that PAGE_SHIFT + order is 64, which is larger
> than 32 bits int range, causing shift-out-of bound. This bug is tested
> and still remains in the latest upstream linux (6.9-rc3).
> If you have any questions, please contact us.

Thank you for having root-caused this issue and also for having shared
your root-cause analysis. Do you perhaps plan to post a patch that fixes
this issue?

Thanks,

Bart.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ