RE: [PATCH v4 3/5] scsi: ufs: fix potential access NULL pointer while memcpy

From: Avri Altman <Avri.Altman@wdc.com>
To: Bean Huo <huobean@gmail.com>,
	"alim.akhtar@samsung.com" <alim.akhtar@samsung.com>,
	"asutoshd@codeaurora.org" <asutoshd@codeaurora.org>,
	"jejb@linux.ibm.com" <jejb@linux.ibm.com>,
	"martin.petersen@oracle.com" <martin.petersen@oracle.com>,
	"stanley.chu@mediatek.com" <stanley.chu@mediatek.com>,
	"beanhuo@micron.com" <beanhuo@micron.com>,
	"bvanassche@acm.org" <bvanassche@acm.org>,
	"tomas.winkler@intel.com" <tomas.winkler@intel.com>,
	"cang@codeaurora.org" <cang@codeaurora.org>
Cc: "linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH v4 3/5] scsi: ufs: fix potential access NULL pointer while memcpy
Date: Tue, 2 Jun 2020 12:25:55 +0000	[thread overview]
Message-ID: <SN6PR04MB464036A74AA935BEE35280CEFC8B0@SN6PR04MB4640.namprd04.prod.outlook.com> (raw)
In-Reply-To: <43a81bce2159ccd290e5dfe4a69199f56c379ef7.camel@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3955 bytes --]

How about something like the untested attached?

Thanks,
Avri

> -----Original Message-----
> From: Bean Huo <huobean@gmail.com>
> Sent: Tuesday, June 2, 2020 2:36 PM
> To: Avri Altman <Avri.Altman@wdc.com>; alim.akhtar@samsung.com;
> asutoshd@codeaurora.org; jejb@linux.ibm.com;
> martin.petersen@oracle.com; stanley.chu@mediatek.com;
> beanhuo@micron.com; bvanassche@acm.org; tomas.winkler@intel.com;
> cang@codeaurora.org
> Cc: linux-scsi@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH v4 3/5] scsi: ufs: fix potential access NULL pointer while
> memcpy
> 
> CAUTION: This email originated from outside of Western Digital. Do not click
> on links or open attachments unless you recognize the sender and know that
> the content is safe.
> 
> 
> hi Avri
> thanks review.
> 
> 
> On Mon, 2020-06-01 at 06:25 +0000, Avri Altman wrote:
> > Hi,
> >
> > > If param_offset is not 0, the memcpy length shouldn't be the
> > > true descriptor length.
> > >
> > > Fixes: a4b0e8a4e92b ("scsi: ufs: Factor out
> > > ufshcd_read_desc_param")
> > > Signed-off-by: Bean Huo <beanhuo@micron.com>
> > > ---
> > >  drivers/scsi/ufs/ufshcd.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
> > > index f7e8bfefe3d4..bc52a0e89cd3 100644
> > > --- a/drivers/scsi/ufs/ufshcd.c
> > > +++ b/drivers/scsi/ufs/ufshcd.c
> > > @@ -3211,7 +3211,7 @@ int ufshcd_read_desc_param(struct ufs_hba
> > > *hba,
> > >
> > >         /* Check wherher we will not copy more data, than available
> > > */
> > >         if (is_kmalloc && param_size > buff_len)
> > > -               param_size = buff_len;
> > > +               param_size = buff_len - param_offset;
> >
> > But Is_kmalloc is true if (param_offset != 0 || param_size <
> > buff_len)
> > So  if (is_kmalloc && param_size > buff_len) implies that
> > param_offset is 0,
> > Or did I get it wrong?
> 
> If param_offset is 0, This willn't get any wrong, after this patch, it
> is the same since offset is 0. As mentioned in the commit message, this
> patch is only for the case of param_offset is not 0.
> 
> >
> > Still, I think that there is a problem here because nowhere we are
> > checking that
> > param_offset + param_size < buff_len, which now can happen because of
> > ufs-bsg.
> > Maybe you can add it and get rid of that is_kmalloc which is an
> > awkward way to test for valid values?
> 
> let me explain further:
> we have these conditinos:
> 
> 1) param_offset == 0, param_size >= buff_len;//no problem,
> ufshcd_query_descriptor_retry() will read descripor with true
> descriptor length, and no memcpy() called.
> 
> 
> 2) param_offset == 0, param_size < buff_len;// no problem,
> ufshcd_query_descriptor_retry() will read descripor with true
> descriptor length buff_len, and memcpy() with param_size length.
> 
> 
> 3) param_offset != 0, param_offset + param_size <= buff_len;// no
> problem, ufshcd_query_descriptor_retry() will read descripor with true
> descriptor length, and memcpy() with param_size length.
> 
> 
> 4) param_offset != 0, param_offset + param_size > buff_len;// NULL
> pointer reference problem, since ufshcd_query_descriptor_retry() will
> read descripor with true descriptor length, and memcpy() with buff_len
> length. correct memcpy length should be (buff_len - param_offset)
> 
> param_offset + param_size < buff_len doesn't need to add, and
> is_kmalloc is very hard to be removed based on current flow.
> 
> so, the correct fixup patch shoulbe be like this:
> 
> 
> -if (is_kmalloc && param_size > buff_len)
> -       param_size = buff_len
> +if (is_kmalloc && (param_size + param_offset) > buff_len)
> +       param_size = buff_len - param_offset;
> 
> 
> how do you think about it? if no problem, I will update it in next
> version patch.
> 
> thanks,
> 
> Bean


[-- Attachment #2: 0001-scsi-ufshcd-Simplify-ufshcd_read_desc_param.patch --]
[-- Type: application/octet-stream, Size: 2782 bytes --]

From ccb21474171a2ffc67b7a229538288fd39891181 Mon Sep 17 00:00:00 2001
From: Avri Altman <avri.altman@wdc.com>
Date: Tue, 2 Jun 2020 15:14:56 +0300
Subject: [PATCH] scsi: ufshcd: Simplify ufshcd_read_desc_param

Always use a locally allocated buffer, and verify that the requested
parameters are indeed valid.

Fixes: a4b0e8a4e92b ("scsi: ufs: Factor out ufshcd_read_desc_param")
Signed-off-by: Avri Altman <avri.altman@wdc.com>
Signed-off-by: Bean Huo <beanhuo@micron.com>
---
 drivers/scsi/ufs/ufshcd.c | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index af14e52..f036c59 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -3152,6 +3152,8 @@ EXPORT_SYMBOL(ufshcd_map_desc_id_to_length);
  * @param_size: sizeof(param_read_buf)
  *
  * Return 0 in case of success, non-zero otherwise
+ * The caller must ensure that param_read_buf points to at least param_size
+ * available bytes.
  */
 int ufshcd_read_desc_param(struct ufs_hba *hba,
 			   enum desc_idn desc_id,
@@ -3163,7 +3165,6 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 	int ret;
 	u8 *desc_buf;
 	int buff_len;
-	bool is_kmalloc = true;
 
 	/* Safety check */
 	if (desc_id >= QUERY_DESC_IDN_MAX || !param_size)
@@ -3175,26 +3176,19 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 	ret = ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
 
 	/* Sanity checks */
-	if (ret || !buff_len) {
+	if (ret || (param_offset + param_size >= buff_len)) {
 		dev_err(hba->dev, "%s: Failed to get full descriptor length",
 			__func__);
 		return ret;
 	}
 
-	/* Check whether we need temp memory */
-	if (param_offset != 0 || param_size < buff_len) {
-		desc_buf = kmalloc(buff_len, GFP_KERNEL);
-		if (!desc_buf)
-			return -ENOMEM;
-	} else {
-		desc_buf = param_read_buf;
-		is_kmalloc = false;
-	}
+	desc_buf = kmalloc(buff_len, GFP_KERNEL);
+	if (!desc_buf)
+		return -ENOMEM;
 
 	/* Request for full descriptor */
 	ret = ufshcd_query_descriptor_retry(hba, UPIU_QUERY_OPCODE_READ_DESC,
-					desc_id, desc_index, 0,
-					desc_buf, &buff_len);
+			desc_id, desc_index, 0, desc_buf, &buff_len);
 
 	if (ret) {
 		dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d",
@@ -3210,15 +3204,10 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 		goto out;
 	}
 
-	/* Check wherher we will not copy more data, than available */
-	if (is_kmalloc && param_size > buff_len)
-		param_size = buff_len;
+	memcpy(param_read_buf, &desc_buf[param_offset], param_size);
 
-	if (is_kmalloc)
-		memcpy(param_read_buf, &desc_buf[param_offset], param_size);
 out:
-	if (is_kmalloc)
-		kfree(desc_buf);
+	kfree(desc_buf);
 	return ret;
 }
 
-- 
2.7.4

