* [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs
@ 2021-10-09 7:52 Ye Bin
2021-10-09 7:52 ` [PATCH v2 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16 Ye Bin
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Ye Bin @ 2021-10-09 7:52 UTC (permalink / raw)
To: jejb, martin.petersen, linux-scsi, linux-kernel; +Cc: Ye Bin
Ye Bin (2):
scsi:scsi_debug: Fix out-of-bound read in resp_readcap16
scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs
drivers/scsi/scsi_debug.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--
2.31.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16
2021-10-09 7:52 [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Ye Bin
@ 2021-10-09 7:52 ` Ye Bin
2021-10-09 7:52 ` [PATCH v2 2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs Ye Bin
2021-10-12 17:00 ` [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Martin K. Petersen
2 siblings, 0 replies; 4+ messages in thread
From: Ye Bin @ 2021-10-09 7:52 UTC (permalink / raw)
To: jejb, martin.petersen, linux-scsi, linux-kernel; +Cc: Ye Bin
We got following warning when runing syzkaller:
[ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;
[ 3813.830724] program syz-executor not setting count and/or reply_len properly
[ 3813.836956] ==================================================================
[ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0
[ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549
[ 3813.846612] Call Trace:
[ 3813.846995] dump_stack+0x108/0x15f
[ 3813.847524] print_address_description+0xa5/0x372
[ 3813.848243] kasan_report.cold+0x236/0x2a8
[ 3813.849439] check_memory_region+0x240/0x270
[ 3813.850094] memcpy+0x30/0x80
[ 3813.850553] sg_copy_buffer+0x157/0x1e0
[ 3813.853032] sg_copy_from_buffer+0x13/0x20
[ 3813.853660] fill_from_dev_buffer+0x135/0x370
[ 3813.854329] resp_readcap16+0x1ac/0x280
[ 3813.856917] schedule_resp+0x41f/0x1630
[ 3813.858203] scsi_debug_queuecommand+0xb32/0x17e0
[ 3813.862699] scsi_dispatch_cmd+0x330/0x950
[ 3813.863329] scsi_request_fn+0xd8e/0x1710
[ 3813.863946] __blk_run_queue+0x10b/0x230
[ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400
[ 3813.865220] sg_common_write.isra.0+0xe61/0x2420
[ 3813.871637] sg_write+0x6c8/0xef0
[ 3813.878853] __vfs_write+0xe4/0x800
[ 3813.883487] vfs_write+0x17b/0x530
[ 3813.884008] ksys_write+0x103/0x270
[ 3813.886268] __x64_sys_write+0x77/0xc0
[ 3813.886841] do_syscall_64+0x106/0x360
[ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9
We can reproduce this issue with following syzkaller log:
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0)
r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\x00')
open_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000)
r2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782)
write$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126)
As in resp_readcap16 we get "int alloc_len" value -1104926854, and then pass
huge arr_len to fill_from_dev_buffer, but arr is only has 32 bytes space. So
lead to OOB in sg_copy_buffer.
To solve this issue just define alloc_len with U32 type.
Signed-off-by: Ye Bin <yebin10@huawei.com>
---
drivers/scsi/scsi_debug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 66f507469a31..be0440545744 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1856,7 +1856,7 @@ static int resp_readcap16(struct scsi_cmnd *scp,
{
unsigned char *cmd = scp->cmnd;
unsigned char arr[SDEBUG_READCAP16_ARR_SZ];
- int alloc_len;
+ u32 alloc_len;
alloc_len = get_unaligned_be32(cmd + 10);
/* following just in case virtual_gb changed */
@@ -1885,7 +1885,7 @@ static int resp_readcap16(struct scsi_cmnd *scp,
}
return fill_from_dev_buffer(scp, arr,
- min_t(int, alloc_len, SDEBUG_READCAP16_ARR_SZ));
+ min_t(u32, alloc_len, SDEBUG_READCAP16_ARR_SZ));
}
#define SDEBUG_MAX_TGTPGS_ARR_SZ 1412
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs
2021-10-09 7:52 [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Ye Bin
2021-10-09 7:52 ` [PATCH v2 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16 Ye Bin
@ 2021-10-09 7:52 ` Ye Bin
2021-10-12 17:00 ` [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Martin K. Petersen
2 siblings, 0 replies; 4+ messages in thread
From: Ye Bin @ 2021-10-09 7:52 UTC (permalink / raw)
To: jejb, martin.petersen, linux-scsi, linux-kernel; +Cc: Ye Bin
We got follow issue when run syzkaller:
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815
CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xe4/0x14a lib/dump_stack.c:118
print_address_description+0x73/0x280 mm/kasan/report.c:253
kasan_report_error mm/kasan/report.c:352 [inline]
kasan_report+0x272/0x370 mm/kasan/report.c:410
memcpy+0x1f/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:377 [inline]
sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021
resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772
schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429
scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835
scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896
scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034
__blk_run_queue_uncond block/blk-core.c:464 [inline]
__blk_run_queue+0x1a4/0x380 block/blk-core.c:484
blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78
sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847
sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716
sg_write+0x64/0xa0 drivers/scsi/sg.c:622
__vfs_write+0xed/0x690 fs/read_write.c:485
kill_bdev:block_device:00000000e138492c
vfs_write+0x184/0x4c0 fs/read_write.c:549
ksys_write+0x107/0x240 fs/read_write.c:599
do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
As with previous patch, we get 'alen' from command, and 'alen''s type is
int, If userspace pass large length we will get negative 'alen'.
So just set 'n'/'alen'/'rlen' with u32 type.
Signed-off-by: Ye Bin <yebin10@huawei.com>
---
drivers/scsi/scsi_debug.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index be0440545744..ead65cdfb522 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1896,8 +1896,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
unsigned char *cmd = scp->cmnd;
unsigned char *arr;
int host_no = devip->sdbg_host->shost->host_no;
- int n, ret, alen, rlen;
int port_group_a, port_group_b, port_a, port_b;
+ u32 alen, n, rlen;
+ int ret;
alen = get_unaligned_be32(cmd + 6);
arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_ATOMIC);
@@ -1959,9 +1960,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
* - The constructed command length
* - The maximum array size
*/
- rlen = min_t(int, alen, n);
+ rlen = min(alen, n);
ret = fill_from_dev_buffer(scp, arr,
- min_t(int, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
+ min_t(u32, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
kfree(arr);
return ret;
}
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs
2021-10-09 7:52 [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Ye Bin
2021-10-09 7:52 ` [PATCH v2 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16 Ye Bin
2021-10-09 7:52 ` [PATCH v2 2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs Ye Bin
@ 2021-10-12 17:00 ` Martin K. Petersen
2 siblings, 0 replies; 4+ messages in thread
From: Martin K. Petersen @ 2021-10-12 17:00 UTC (permalink / raw)
To: Ye Bin; +Cc: jejb, martin.petersen, linux-scsi, linux-kernel
Ye,
> scsi:scsi_debug: Fix out-of-bound read in resp_readcap16
> scsi:scsi_debug: Fix out-of-bound read in resp_report_tgtpgs
Please CC: Doug Gilbert on scsi_debug patches.
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-10-12 17:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-09 7:52 [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Ye Bin
2021-10-09 7:52 ` [PATCH v2 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16 Ye Bin
2021-10-09 7:52 ` [PATCH v2 2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs Ye Bin
2021-10-12 17:00 ` [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Martin K. Petersen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.