| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251208073121.3773147-1-wdhh6@aliyun.com>
Date: Mon, 8 Dec 2025 15:31:21 +0800
From: Chaohai Chen <wdhh6@...yun.com>
To: john.g.garry@...cle.com,
yanaijie@...wei.com,
James.Bottomley@...senPartnership.com,
martin.petersen@...cle.com,
dlemoal@...nel.org,
mingo@...nel.org,
cassel@...nel.org,
tglx@...utronix.de,
wdhh6@...yun.com
Cc: linux-scsi@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] scsi: libsas: Fix potential array out of bounds in sas_check_*_expander_topo().
No check was made to ensure that parent_phy->appended_phy_id is within the
valid range. If the expander reports an invalid phy_id, it may cause the
array to be out of bounds.
Signed-off-by: Chaohai Chen <wdhh6@...yun.com>
---
drivers/scsi/libsas/sas_expander.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
index d953225f6cc2..07633d795182 100644
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -1266,6 +1266,11 @@ static int sas_check_edge_expander_topo(struct domain_device *child,
struct expander_device *parent_ex = &child->parent->ex_dev;
struct ex_phy *child_phy;
+ if (parent_phy->attached_phy_id >= child_ex->num_phys) {
+ pr_err("Invalid attached_phy_id:%u, num_phys:%u\n",
+ parent_phy->attached_phy_id, child_ex->num_phys);
+ return -EINVAL;
+ }
child_phy = &child_ex->ex_phy[parent_phy->attached_phy_id];
if (child->dev_type == SAS_FANOUT_EXPANDER_DEVICE) {
@@ -1296,6 +1301,11 @@ static int sas_check_fanout_expander_topo(struct domain_device *child,
struct expander_device *child_ex = &child->ex_dev;
struct ex_phy *child_phy;
+ if (parent_phy->attached_phy_id >= child_ex->num_phys) {
+ pr_err("Invalid attached_phy_id:%u, num_phys:%u\n",
+ parent_phy->attached_phy_id, child_ex->num_phys);
+ return -EINVAL;
+ }
child_phy = &child_ex->ex_phy[parent_phy->attached_phy_id];
if (parent_phy->routing_attr == TABLE_ROUTING &&
--
2.43.7
Powered by blists - more mailing lists