From: Tomas Henzl <thenzl@redhat.com>
To: linux-scsi@vger.kernel.org
Cc: mikoxyzzz@gmail.com
Subject: [PATCH v2 1/4] ses: fix slab-out-of-bounds reported by KASAN in ses_enclosure_data_process
Date: Thu, 2 Feb 2023 17:24:48 +0100 [thread overview]
Message-ID: <20230202162451.15346-2-thenzl@redhat.com> (raw)
In-Reply-To: <20230202162451.15346-1-thenzl@redhat.com>
A fix for:
BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses]
Read of size 1 at addr ffff88a1b043a451 by task systemd-udevd/3271
Checking after (and before in next loop) addl_desc_ptr[1] is sufficient,
we expect the size to be sanitized before first access to addl_desc_ptr[1].
Testing for one more byte shall protect partially the ses_process_descriptor.
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
---
drivers/scsi/ses.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 0a1734f34587..1ee927ac8603 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -603,9 +603,11 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
/* these elements are optional */
type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT ||
type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT ||
- type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS))
+ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)){
addl_desc_ptr += addl_desc_ptr[1] + 2;
-
+ if (addl_desc_ptr + 1 >= ses_dev->page10 + ses_dev->page10_len)
+ addl_desc_ptr = NULL;
+ }
}
}
kfree(buf);
--
2.38.1
next prev parent reply other threads:[~2023-02-02 16:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-02 16:24 [PATCH v2 0/4] ses: prevent from out of bounds accesses Tomas Henzl
2023-02-02 16:24 ` Tomas Henzl [this message]
2023-02-02 16:24 ` [PATCH v2 2/4] ses: fix possible addl_desc_ptr out-of-bounds accesses in ses_enclosure_data_process Tomas Henzl
2023-02-02 16:24 ` [PATCH v2 3/4] ses: fix possible desc_ptr " Tomas Henzl
2023-02-02 16:24 ` [PATCH v2 4/4] ses: fix slab-out-of-bounds reported by KASAN in ses_intf_remove Tomas Henzl
2023-02-21 22:59 ` [PATCH v2 0/4] ses: prevent from out of bounds accesses Martin K. Petersen
2023-02-22 15:24 ` Tomas Henzl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230202162451.15346-2-thenzl@redhat.com \
--to=thenzl@redhat.com \
--cc=linux-scsi@vger.kernel.org \
--cc=mikoxyzzz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.