lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1fdfb9221f1cab04881d91e1e2d56ba97054a580.camel@gmail.com>
Date: Mon, 17 Feb 2025 19:39:30 +0100
From: Bean Huo <huobean@...il.com>
To: Arthur Simchaev <arthur.simchaev@...disk.com>, martin.petersen@...cle.com
Cc: avri.altman@...disk.com, Avi.Shchislowski@...disk.com,
 beanhuo@...ron.com,  linux-scsi@...r.kernel.org,
 linux-kernel@...r.kernel.org, bvanassche@....org
Subject: Re: [PATCH] scsi: ufs: core: Fix memory crash in case arpmb command
 failed

On Mon, 2025-02-17 at 18:43 +0200, Arthur Simchaev wrote:
> In case the device doesn't support arpmb, the kernel get memory crash
> due to copy user data in bsg_transport_sg_io_fn level. So in case
> ufshcd_send_bsg_uic_cmd returned error, do not change the job's
> reply_len.
> 
> Memory crash backtrace:
> 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -
> 22


It is Advanced RPMB access and not related to the UIC command, 

If the deivce didn't support advanced rpmb, got return -EINVAL(-22). 

In this case, in bsg_transport_sg_io_fn, 

if (job->result < 0) {
	job->reply_len = sizeof(u32); 

then:

 int len = min(hdr->max_response_len, job->reply_len); 
	if (copy_to_user(uptr64(hdr->response), job->reply, len))


It looks like you didn't initialize the correct response buffer from
user space.

Could you rephrase your commit message, add a Fixes tag, and resubmit?


Kind regards,
Bean

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ