All of lore.kernel.org
 help / color / mirror / Atom feed
* [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
@ 2019-03-14  3:19 jianchao.wang
  2019-03-18  3:13 ` jianchao.wang
  2019-03-18  5:01   ` Martin K. Petersen
  0 siblings, 2 replies; 8+ messages in thread
From: jianchao.wang @ 2019-03-14  3:19 UTC (permalink / raw)
  To: jejb, martin.petersen
  Cc: linux-scsi, linux-kernel, Junxiao Bi, diego.gonzalez

Dear all

When our customer probe the lpfc devices, they encountered odd memory corruption issues,
and we get 'out of bound' access warning at following position after open KASAN

ses_enclosure_data_process

for (i = 0; i < types; i++, type_ptr += 4) {
  for (j = 0; j < type_ptr[1]; j++) {
                   ^^^^^^^^^^^
                   out of bound

With some debug log, I got following,

page1 ffff88042d1aad20 len 32 types 5 type_ptr ffff88042d1aad64

Would anyone please give some suggestions on this ?

Thanks
Jianchao

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
  2019-03-14  3:19 [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process jianchao.wang
@ 2019-03-18  3:13 ` jianchao.wang
  2019-03-18  4:17   ` Junxiao Bi
  2019-03-18  5:01   ` Martin K. Petersen
  1 sibling, 1 reply; 8+ messages in thread
From: jianchao.wang @ 2019-03-18  3:13 UTC (permalink / raw)
  To: jejb, martin.petersen
  Cc: linux-scsi, linux-kernel, Junxiao Bi, diego.gonzalez

Would anyone please give some suggestions ?

It looks like there somethings wrong in the read-in data, 

	/* skip all the enclosure descriptors */
	for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
		types += type_ptr[2];
		type_ptr += type_ptr[3] + 4; ----> here
	}
Then the typr_ptr got out of bound of the buffer.


Thanks
Jianchao

On 3/14/19 11:19 AM, jianchao.wang wrote:
> Dear all
> 
> When our customer probe the lpfc devices, they encountered odd memory corruption issues,
> and we get 'out of bound' access warning at following position after open KASAN
> 
> ses_enclosure_data_process
> 
> for (i = 0; i < types; i++, type_ptr += 4) {
>   for (j = 0; j < type_ptr[1]; j++) {
>                    ^^^^^^^^^^^
>                    out of bound
> 
> With some debug log, I got following,
> 
> page1 ffff88042d1aad20 len 32 types 5 type_ptr ffff88042d1aad64
> 
> Would anyone please give some suggestions on this ?
> 
> Thanks
> Jianchao
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
  2019-03-18  3:13 ` jianchao.wang
@ 2019-03-18  4:17   ` Junxiao Bi
  0 siblings, 0 replies; 8+ messages in thread
From: Junxiao Bi @ 2019-03-18  4:17 UTC (permalink / raw)
  To: james.smart, dick.kennedy
  Cc: jianchao.wang, jejb, martin.petersen, linux-scsi, linux-kernel,
	diego.gonzalez

Add lpfc maintainer James & Dick.  Could you help take a look?

Thanks,

Junxiao.

On 3/18/19 11:13 AM, jianchao.wang wrote:
> Would anyone please give some suggestions ?
>
> It looks like there somethings wrong in the read-in data,
>
> 	/* skip all the enclosure descriptors */
> 	for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
> 		types += type_ptr[2];
> 		type_ptr += type_ptr[3] + 4; ----> here
> 	}
> Then the typr_ptr got out of bound of the buffer.
>
>
> Thanks
> Jianchao
>
> On 3/14/19 11:19 AM, jianchao.wang wrote:
>> Dear all
>>
>> When our customer probe the lpfc devices, they encountered odd memory corruption issues,
>> and we get 'out of bound' access warning at following position after open KASAN
>>
>> ses_enclosure_data_process
>>
>> for (i = 0; i < types; i++, type_ptr += 4) {
>>    for (j = 0; j < type_ptr[1]; j++) {
>>                     ^^^^^^^^^^^
>>                     out of bound
>>
>> With some debug log, I got following,
>>
>> page1 ffff88042d1aad20 len 32 types 5 type_ptr ffff88042d1aad64
>>
>> Would anyone please give some suggestions on this ?
>>
>> Thanks
>> Jianchao
>>

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
  2019-03-14  3:19 [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process jianchao.wang
@ 2019-03-18  5:01   ` Martin K. Petersen
  2019-03-18  5:01   ` Martin K. Petersen
  1 sibling, 0 replies; 8+ messages in thread
From: Martin K. Petersen @ 2019-03-18  5:01 UTC (permalink / raw)
  To: jianchao.wang
  Cc: jejb, martin.petersen, linux-scsi, linux-kernel, Junxiao Bi,
	diego.gonzalez


Jianchao,

> When our customer probe the lpfc devices, they encountered odd memory
> corruption issues, and we get 'out of bound' access warning at
> following position after open KASAN

Please provide the output of:

# sg_ses -p 1 /dev/sgN
# sg_ses -p 7 /dev/sgN

for the enclosure device in question.

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
@ 2019-03-18  5:01   ` Martin K. Petersen
  0 siblings, 0 replies; 8+ messages in thread
From: Martin K. Petersen @ 2019-03-18  5:01 UTC (permalink / raw)
  To: jianchao.wang
  Cc: jejb, martin.petersen, linux-scsi, linux-kernel, Junxiao Bi,
	diego.gonzalez


Jianchao,

> When our customer probe the lpfc devices, they encountered odd memory
> corruption issues, and we get 'out of bound' access warning at
> following position after open KASAN

Please provide the output of:

# sg_ses -p 1 /dev/sgN
# sg_ses -p 7 /dev/sgN

for the enclosure device in question.

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
  2019-03-18  5:01   ` Martin K. Petersen
  (?)
@ 2019-03-18  5:09   ` jianchao.wang
  -1 siblings, 0 replies; 8+ messages in thread
From: jianchao.wang @ 2019-03-18  5:09 UTC (permalink / raw)
  To: Martin K. Petersen
  Cc: jejb, linux-scsi, linux-kernel, Junxiao Bi, diego.gonzalez

Hi Martin

Thanks for your kindly response.

On 3/18/19 1:01 PM, Martin K. Petersen wrote:
> 
> Jianchao,
> 
>> When our customer probe the lpfc devices, they encountered odd memory
>> corruption issues, and we get 'out of bound' access warning at
>> following position after open KASAN
> 
> Please provide the output of:
> 
> # sg_ses -p 1 /dev/sgN
> # sg_ses -p 7 /dev/sgN
> 
> for the enclosure device in question.

OK, I will send this to customer.
And share the result here after get feedback.

Thanks
Jianchao

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
  2019-03-18  5:01   ` Martin K. Petersen
  (?)
  (?)
@ 2019-03-18 15:22   ` Ewan D. Milne
  2019-03-19  2:41     ` jianchao.wang
  -1 siblings, 1 reply; 8+ messages in thread
From: Ewan D. Milne @ 2019-03-18 15:22 UTC (permalink / raw)
  To: Martin K. Petersen, jianchao.wang
  Cc: jejb, linux-scsi, linux-kernel, Junxiao Bi, diego.gonzalez

On Mon, 2019-03-18 at 01:01 -0400, Martin K. Petersen wrote:
> Jianchao,
> 
> > When our customer probe the lpfc devices, they encountered odd memory
> > corruption issues, and we get 'out of bound' access warning at
> > following position after open KASAN
> 
> Please provide the output of:
> 
> # sg_ses -p 1 /dev/sgN
> # sg_ses -p 7 /dev/sgN
> 
> for the enclosure device in question.
> 

The ses driver is allocating kernel buffers based upon the size
reported by RECEIVE DIAGNOSTIC commands, and is iterating through
them based on sizes in the individual descriptors.  It appears to
be vulnerable to incorrect data from the device causing out-of-bounds
memory access, because the for() test does not prevent the use of
the pointer in subsequent code, e.g.:

        for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
                types += type_ptr[2];
                type_ptr += type_ptr[3] + 4;
        }

        ses_dev->page1_types = type_ptr;
        ses_dev->page1_num_types = types;

Whether or not this is the current problem, it's wrong.

-Ewan


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
  2019-03-18 15:22   ` Ewan D. Milne
@ 2019-03-19  2:41     ` jianchao.wang
  0 siblings, 0 replies; 8+ messages in thread
From: jianchao.wang @ 2019-03-19  2:41 UTC (permalink / raw)
  To: Ewan D. Milne, Martin K. Petersen
  Cc: jejb, linux-scsi, linux-kernel, Junxiao Bi, diego.gonzalez



On 3/18/19 11:22 PM, Ewan D. Milne wrote:
> On Mon, 2019-03-18 at 01:01 -0400, Martin K. Petersen wrote:
>> Jianchao,
>>
>>> When our customer probe the lpfc devices, they encountered odd memory
>>> corruption issues, and we get 'out of bound' access warning at
>>> following position after open KASAN
>>
>> Please provide the output of:
>>
>> # sg_ses -p 1 /dev/sgN
>> # sg_ses -p 7 /dev/sgN
>>
>> for the enclosure device in question.
>>
> 
> The ses driver is allocating kernel buffers based upon the size
> reported by RECEIVE DIAGNOSTIC commands, and is iterating through
> them based on sizes in the individual descriptors.  It appears to
> be vulnerable to incorrect data from the device causing out-of-bounds
> memory access, because the for() test does not prevent the use of
> the pointer in subsequent code, e.g.:
> 
>         for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
>                 types += type_ptr[2];
>                 type_ptr += type_ptr[3] + 4;
>         }
> 
>         ses_dev->page1_types = type_ptr;
>         ses_dev->page1_num_types = types;
> 
> Whether or not this is the current problem, it's wrong.
> 

Yes, I definitely agree with this.
There should be some change here.

Thanks
Jianchao


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2019-03-19  2:39 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-14  3:19 [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process jianchao.wang
2019-03-18  3:13 ` jianchao.wang
2019-03-18  4:17   ` Junxiao Bi
2019-03-18  5:01 ` Martin K. Petersen
2019-03-18  5:01   ` Martin K. Petersen
2019-03-18  5:09   ` jianchao.wang
2019-03-18 15:22   ` Ewan D. Milne
2019-03-19  2:41     ` jianchao.wang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.