* [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
@ 2019-03-14 3:19 jianchao.wang
2019-03-18 3:13 ` jianchao.wang
2019-03-18 5:01 ` Martin K. Petersen
0 siblings, 2 replies; 8+ messages in thread
From: jianchao.wang @ 2019-03-14 3:19 UTC (permalink / raw)
To: jejb, martin.petersen
Cc: linux-scsi, linux-kernel, Junxiao Bi, diego.gonzalez
Dear all
When our customer probe the lpfc devices, they encountered odd memory corruption issues,
and we get 'out of bound' access warning at following position after open KASAN
ses_enclosure_data_process
for (i = 0; i < types; i++, type_ptr += 4) {
for (j = 0; j < type_ptr[1]; j++) {
^^^^^^^^^^^
out of bound
With some debug log, I got following,
page1 ffff88042d1aad20 len 32 types 5 type_ptr ffff88042d1aad64
Would anyone please give some suggestions on this ?
Thanks
Jianchao
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
2019-03-14 3:19 [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process jianchao.wang
@ 2019-03-18 3:13 ` jianchao.wang
2019-03-18 4:17 ` Junxiao Bi
2019-03-18 5:01 ` Martin K. Petersen
1 sibling, 1 reply; 8+ messages in thread
From: jianchao.wang @ 2019-03-18 3:13 UTC (permalink / raw)
To: jejb, martin.petersen
Cc: linux-scsi, linux-kernel, Junxiao Bi, diego.gonzalez
Would anyone please give some suggestions ?
It looks like there somethings wrong in the read-in data,
/* skip all the enclosure descriptors */
for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
types += type_ptr[2];
type_ptr += type_ptr[3] + 4; ----> here
}
Then the typr_ptr got out of bound of the buffer.
Thanks
Jianchao
On 3/14/19 11:19 AM, jianchao.wang wrote:
> Dear all
>
> When our customer probe the lpfc devices, they encountered odd memory corruption issues,
> and we get 'out of bound' access warning at following position after open KASAN
>
> ses_enclosure_data_process
>
> for (i = 0; i < types; i++, type_ptr += 4) {
> for (j = 0; j < type_ptr[1]; j++) {
> ^^^^^^^^^^^
> out of bound
>
> With some debug log, I got following,
>
> page1 ffff88042d1aad20 len 32 types 5 type_ptr ffff88042d1aad64
>
> Would anyone please give some suggestions on this ?
>
> Thanks
> Jianchao
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
2019-03-18 3:13 ` jianchao.wang
@ 2019-03-18 4:17 ` Junxiao Bi
0 siblings, 0 replies; 8+ messages in thread
From: Junxiao Bi @ 2019-03-18 4:17 UTC (permalink / raw)
To: james.smart, dick.kennedy
Cc: jianchao.wang, jejb, martin.petersen, linux-scsi, linux-kernel,
diego.gonzalez
Add lpfc maintainer James & Dick. Could you help take a look?
Thanks,
Junxiao.
On 3/18/19 11:13 AM, jianchao.wang wrote:
> Would anyone please give some suggestions ?
>
> It looks like there somethings wrong in the read-in data,
>
> /* skip all the enclosure descriptors */
> for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
> types += type_ptr[2];
> type_ptr += type_ptr[3] + 4; ----> here
> }
> Then the typr_ptr got out of bound of the buffer.
>
>
> Thanks
> Jianchao
>
> On 3/14/19 11:19 AM, jianchao.wang wrote:
>> Dear all
>>
>> When our customer probe the lpfc devices, they encountered odd memory corruption issues,
>> and we get 'out of bound' access warning at following position after open KASAN
>>
>> ses_enclosure_data_process
>>
>> for (i = 0; i < types; i++, type_ptr += 4) {
>> for (j = 0; j < type_ptr[1]; j++) {
>> ^^^^^^^^^^^
>> out of bound
>>
>> With some debug log, I got following,
>>
>> page1 ffff88042d1aad20 len 32 types 5 type_ptr ffff88042d1aad64
>>
>> Would anyone please give some suggestions on this ?
>>
>> Thanks
>> Jianchao
>>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
2019-03-14 3:19 [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process jianchao.wang
@ 2019-03-18 5:01 ` Martin K. Petersen
2019-03-18 5:01 ` Martin K. Petersen
1 sibling, 0 replies; 8+ messages in thread
From: Martin K. Petersen @ 2019-03-18 5:01 UTC (permalink / raw)
To: jianchao.wang
Cc: jejb, martin.petersen, linux-scsi, linux-kernel, Junxiao Bi,
diego.gonzalez
Jianchao,
> When our customer probe the lpfc devices, they encountered odd memory
> corruption issues, and we get 'out of bound' access warning at
> following position after open KASAN
Please provide the output of:
# sg_ses -p 1 /dev/sgN
# sg_ses -p 7 /dev/sgN
for the enclosure device in question.
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
@ 2019-03-18 5:01 ` Martin K. Petersen
0 siblings, 0 replies; 8+ messages in thread
From: Martin K. Petersen @ 2019-03-18 5:01 UTC (permalink / raw)
To: jianchao.wang
Cc: jejb, martin.petersen, linux-scsi, linux-kernel, Junxiao Bi,
diego.gonzalez
Jianchao,
> When our customer probe the lpfc devices, they encountered odd memory
> corruption issues, and we get 'out of bound' access warning at
> following position after open KASAN
Please provide the output of:
# sg_ses -p 1 /dev/sgN
# sg_ses -p 7 /dev/sgN
for the enclosure device in question.
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
2019-03-18 5:01 ` Martin K. Petersen
(?)
@ 2019-03-18 5:09 ` jianchao.wang
-1 siblings, 0 replies; 8+ messages in thread
From: jianchao.wang @ 2019-03-18 5:09 UTC (permalink / raw)
To: Martin K. Petersen
Cc: jejb, linux-scsi, linux-kernel, Junxiao Bi, diego.gonzalez
Hi Martin
Thanks for your kindly response.
On 3/18/19 1:01 PM, Martin K. Petersen wrote:
>
> Jianchao,
>
>> When our customer probe the lpfc devices, they encountered odd memory
>> corruption issues, and we get 'out of bound' access warning at
>> following position after open KASAN
>
> Please provide the output of:
>
> # sg_ses -p 1 /dev/sgN
> # sg_ses -p 7 /dev/sgN
>
> for the enclosure device in question.
OK, I will send this to customer.
And share the result here after get feedback.
Thanks
Jianchao
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
2019-03-18 5:01 ` Martin K. Petersen
(?)
(?)
@ 2019-03-18 15:22 ` Ewan D. Milne
2019-03-19 2:41 ` jianchao.wang
-1 siblings, 1 reply; 8+ messages in thread
From: Ewan D. Milne @ 2019-03-18 15:22 UTC (permalink / raw)
To: Martin K. Petersen, jianchao.wang
Cc: jejb, linux-scsi, linux-kernel, Junxiao Bi, diego.gonzalez
On Mon, 2019-03-18 at 01:01 -0400, Martin K. Petersen wrote:
> Jianchao,
>
> > When our customer probe the lpfc devices, they encountered odd memory
> > corruption issues, and we get 'out of bound' access warning at
> > following position after open KASAN
>
> Please provide the output of:
>
> # sg_ses -p 1 /dev/sgN
> # sg_ses -p 7 /dev/sgN
>
> for the enclosure device in question.
>
The ses driver is allocating kernel buffers based upon the size
reported by RECEIVE DIAGNOSTIC commands, and is iterating through
them based on sizes in the individual descriptors. It appears to
be vulnerable to incorrect data from the device causing out-of-bounds
memory access, because the for() test does not prevent the use of
the pointer in subsequent code, e.g.:
for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
types += type_ptr[2];
type_ptr += type_ptr[3] + 4;
}
ses_dev->page1_types = type_ptr;
ses_dev->page1_num_types = types;
Whether or not this is the current problem, it's wrong.
-Ewan
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
2019-03-18 15:22 ` Ewan D. Milne
@ 2019-03-19 2:41 ` jianchao.wang
0 siblings, 0 replies; 8+ messages in thread
From: jianchao.wang @ 2019-03-19 2:41 UTC (permalink / raw)
To: Ewan D. Milne, Martin K. Petersen
Cc: jejb, linux-scsi, linux-kernel, Junxiao Bi, diego.gonzalez
On 3/18/19 11:22 PM, Ewan D. Milne wrote:
> On Mon, 2019-03-18 at 01:01 -0400, Martin K. Petersen wrote:
>> Jianchao,
>>
>>> When our customer probe the lpfc devices, they encountered odd memory
>>> corruption issues, and we get 'out of bound' access warning at
>>> following position after open KASAN
>>
>> Please provide the output of:
>>
>> # sg_ses -p 1 /dev/sgN
>> # sg_ses -p 7 /dev/sgN
>>
>> for the enclosure device in question.
>>
>
> The ses driver is allocating kernel buffers based upon the size
> reported by RECEIVE DIAGNOSTIC commands, and is iterating through
> them based on sizes in the individual descriptors. It appears to
> be vulnerable to incorrect data from the device causing out-of-bounds
> memory access, because the for() test does not prevent the use of
> the pointer in subsequent code, e.g.:
>
> for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
> types += type_ptr[2];
> type_ptr += type_ptr[3] + 4;
> }
>
> ses_dev->page1_types = type_ptr;
> ses_dev->page1_num_types = types;
>
> Whether or not this is the current problem, it's wrong.
>
Yes, I definitely agree with this.
There should be some change here.
Thanks
Jianchao
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-03-19 2:39 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-14 3:19 [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process jianchao.wang
2019-03-18 3:13 ` jianchao.wang
2019-03-18 4:17 ` Junxiao Bi
2019-03-18 5:01 ` Martin K. Petersen
2019-03-18 5:01 ` Martin K. Petersen
2019-03-18 5:09 ` jianchao.wang
2019-03-18 15:22 ` Ewan D. Milne
2019-03-19 2:41 ` jianchao.wang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.