lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250919021104.3726271-1-lgs201920130244@gmail.com>
Date: Fri, 19 Sep 2025 10:11:04 +0800
From: Guangshuo Li <lgs201920130244@...il.com>
To: HighPoint Linux Team <linux@...hpoint-tech.com>,
	"James E.J. Bottomley" <James.Bottomley@...senPartnership.com>,
	"Martin K. Petersen" <martin.petersen@...cle.com>,
	James Bottomley <James.Bottomley@...elEye.com>,
	linux-scsi@...r.kernel.org,
	linux-kernel@...r.kernel.org
Cc: Guangshuo Li <lgs201920130244@...il.com>,
	stable@...r.kernel.org
Subject: [PATCH] scsi: hptiop: Add check for device-provided context pointer in ITL callback

An untrusted device may return a NULL context pointer in the request
header. hptiop_iop_request_callback_itl() dereferences that pointer
unconditionally to write result fields and to invoke arg->done(), which
can cause a NULL pointer dereference.

Add a NULL check for the reconstructed context pointer. If it is NULL,
acknowledge the request by writing the tag to the outbound queue and
return early.

Fixes: ede1e6f8b432 ("[SCSI] hptiop: HighPoint RocketRAID 3xxx controller driver")
Cc: stable@...r.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@...il.com>
---
 drivers/scsi/hptiop.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/hptiop.c b/drivers/scsi/hptiop.c
index 21f1d9871a33..2b29cd83ce5e 100644
--- a/drivers/scsi/hptiop.c
+++ b/drivers/scsi/hptiop.c
@@ -812,6 +812,11 @@ static void hptiop_iop_request_callback_itl(struct hptiop_hba *hba, u32 tag)
 		(readl(&req->context) |
 			((u64)readl(&req->context_hi32)<<32));
 
+	if (!arg) {
+		writel(tag, &hba->u.itl.iop->outbound_queue);
+		return;
+	}
+
 	if (readl(&req->result) == IOP_RESULT_SUCCESS) {
 		arg->result = HPT_IOCTL_RESULT_OK;
 
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ