[PATCH v2 resend 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs

[PATCH v2 resend 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs

[Ye Bin]

Ye Bin (2):
  scsi:scsi_debug: Fix out-of-bound read in resp_readcap16
  scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs

 drivers/scsi/scsi_debug.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

-- 
2.31.1

[PATCH v2 resend 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16

[Ye Bin]

We got following warning when runing syzkaller:
[ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;
[ 3813.830724]    program syz-executor not setting count and/or reply_len properly
[ 3813.836956] ==================================================================
[ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0
[ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549
[ 3813.846612] Call Trace:
[ 3813.846995]  dump_stack+0x108/0x15f
[ 3813.847524]  print_address_description+0xa5/0x372
[ 3813.848243]  kasan_report.cold+0x236/0x2a8
[ 3813.849439]  check_memory_region+0x240/0x270
[ 3813.850094]  memcpy+0x30/0x80
[ 3813.850553]  sg_copy_buffer+0x157/0x1e0
[ 3813.853032]  sg_copy_from_buffer+0x13/0x20
[ 3813.853660]  fill_from_dev_buffer+0x135/0x370
[ 3813.854329]  resp_readcap16+0x1ac/0x280
[ 3813.856917]  schedule_resp+0x41f/0x1630
[ 3813.858203]  scsi_debug_queuecommand+0xb32/0x17e0
[ 3813.862699]  scsi_dispatch_cmd+0x330/0x950
[ 3813.863329]  scsi_request_fn+0xd8e/0x1710
[ 3813.863946]  __blk_run_queue+0x10b/0x230
[ 3813.864544]  blk_execute_rq_nowait+0x1d8/0x400
[ 3813.865220]  sg_common_write.isra.0+0xe61/0x2420
[ 3813.871637]  sg_write+0x6c8/0xef0
[ 3813.878853]  __vfs_write+0xe4/0x800
[ 3813.883487]  vfs_write+0x17b/0x530
[ 3813.884008]  ksys_write+0x103/0x270
[ 3813.886268]  __x64_sys_write+0x77/0xc0
[ 3813.886841]  do_syscall_64+0x106/0x360
[ 3813.887415]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

We can reproduce this issue with following syzkaller log:
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0)
r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\x00')
open_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000)
r2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782)
write$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126)

As in resp_readcap16 we get "int alloc_len" value -1104926854, and then pass
huge arr_len to fill_from_dev_buffer, but arr is only has 32 bytes space. So
lead to OOB in sg_copy_buffer.
To solve this issue just define alloc_len with U32 type.

Signed-off-by: Ye Bin <yebin10@huawei.com>
---
 drivers/scsi/scsi_debug.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 66f507469a31..be0440545744 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1856,7 +1856,7 @@ static int resp_readcap16(struct scsi_cmnd *scp,
 {
 	unsigned char *cmd = scp->cmnd;
 	unsigned char arr[SDEBUG_READCAP16_ARR_SZ];
-	int alloc_len;
+	u32 alloc_len;
 
 	alloc_len = get_unaligned_be32(cmd + 10);
 	/* following just in case virtual_gb changed */
@@ -1885,7 +1885,7 @@ static int resp_readcap16(struct scsi_cmnd *scp,
 	}
 
 	return fill_from_dev_buffer(scp, arr,
-			    min_t(int, alloc_len, SDEBUG_READCAP16_ARR_SZ));
+			    min_t(u32, alloc_len, SDEBUG_READCAP16_ARR_SZ));
 }
 
 #define SDEBUG_MAX_TGTPGS_ARR_SZ 1412
-- 
2.31.1

[PATCH v2 resend 2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs

[Ye Bin]

We got follow issue when run syzkaller:
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815

CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xe4/0x14a lib/dump_stack.c:118
 print_address_description+0x73/0x280 mm/kasan/report.c:253
 kasan_report_error mm/kasan/report.c:352 [inline]
 kasan_report+0x272/0x370 mm/kasan/report.c:410
 memcpy+0x1f/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:377 [inline]
 sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
 fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021
 resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772
 schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429
 scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835
 scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896
 scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034
 __blk_run_queue_uncond block/blk-core.c:464 [inline]
 __blk_run_queue+0x1a4/0x380 block/blk-core.c:484
 blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78
 sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847
 sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716
 sg_write+0x64/0xa0 drivers/scsi/sg.c:622
 __vfs_write+0xed/0x690 fs/read_write.c:485
kill_bdev:block_device:00000000e138492c
 vfs_write+0x184/0x4c0 fs/read_write.c:549
 ksys_write+0x107/0x240 fs/read_write.c:599
 do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

 As with previous patch, we get 'alen' from command, and 'alen''s type is
 int, If userspace pass large length we will get negative 'alen'.
 So just set 'n'/'alen'/'rlen' with u32 type.

Signed-off-by: Ye Bin <yebin10@huawei.com>
---
 drivers/scsi/scsi_debug.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index be0440545744..ead65cdfb522 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1896,8 +1896,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
 	unsigned char *cmd = scp->cmnd;
 	unsigned char *arr;
 	int host_no = devip->sdbg_host->shost->host_no;
-	int n, ret, alen, rlen;
 	int port_group_a, port_group_b, port_a, port_b;
+	u32 alen, n, rlen;
+	int ret;
 
 	alen = get_unaligned_be32(cmd + 6);
 	arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_ATOMIC);
@@ -1959,9 +1960,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
 	 * - The constructed command length
 	 * - The maximum array size
 	 */
-	rlen = min_t(int, alen, n);
+	rlen = min(alen, n);
 	ret = fill_from_dev_buffer(scp, arr,
-			   min_t(int, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
+			   min_t(u32, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
 	kfree(arr);
 	return ret;
 }
-- 
2.31.1

Re: [PATCH v2 resend 2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs

[Douglas Gilbert]

On 2021-10-12 11:39 p.m., Ye Bin wrote:
> We got follow issue when run syzkaller:
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
> BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
> Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815
> 
> CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0xe4/0x14a lib/dump_stack.c:118
>   print_address_description+0x73/0x280 mm/kasan/report.c:253
>   kasan_report_error mm/kasan/report.c:352 [inline]
>   kasan_report+0x272/0x370 mm/kasan/report.c:410
>   memcpy+0x1f/0x50 mm/kasan/kasan.c:302
>   memcpy include/linux/string.h:377 [inline]
>   sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
>   fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021
>   resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772
>   schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429
>   scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835
>   scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896
>   scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034
>   __blk_run_queue_uncond block/blk-core.c:464 [inline]
>   __blk_run_queue+0x1a4/0x380 block/blk-core.c:484
>   blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78
>   sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847
>   sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716
>   sg_write+0x64/0xa0 drivers/scsi/sg.c:622
>   __vfs_write+0xed/0x690 fs/read_write.c:485
> kill_bdev:block_device:00000000e138492c
>   vfs_write+0x184/0x4c0 fs/read_write.c:549
>   ksys_write+0x107/0x240 fs/read_write.c:599
>   do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
>   As with previous patch, we get 'alen' from command, and 'alen''s type is
>   int, If userspace pass large length we will get negative 'alen'.
>   So just set 'n'/'alen'/'rlen' with u32 type.
> 
> Signed-off-by: Ye Bin <yebin10@huawei.com>

Acked-by: Douglas Gilbert <dgilbert@interlog.com>

Thanks.

> ---
>   drivers/scsi/scsi_debug.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> index be0440545744..ead65cdfb522 100644
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -1896,8 +1896,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
>   	unsigned char *cmd = scp->cmnd;
>   	unsigned char *arr;
>   	int host_no = devip->sdbg_host->shost->host_no;
> -	int n, ret, alen, rlen;
>   	int port_group_a, port_group_b, port_a, port_b;
> +	u32 alen, n, rlen;
> +	int ret;
>   
>   	alen = get_unaligned_be32(cmd + 6);
>   	arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_ATOMIC);
> @@ -1959,9 +1960,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
>   	 * - The constructed command length
>   	 * - The maximum array size
>   	 */
> -	rlen = min_t(int, alen, n);
> +	rlen = min(alen, n);
>   	ret = fill_from_dev_buffer(scp, arr,
> -			   min_t(int, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
> +			   min_t(u32, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
>   	kfree(arr);
>   	return ret;
>   }
> 

Re: [PATCH v2 resend 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16

[Douglas Gilbert]

On 2021-10-12 11:39 p.m., Ye Bin wrote:
> We got following warning when runing syzkaller:
> [ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;
> [ 3813.830724]    program syz-executor not setting count and/or reply_len properly
> [ 3813.836956] ==================================================================
> [ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0
> [ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549
> [ 3813.846612] Call Trace:
> [ 3813.846995]  dump_stack+0x108/0x15f
> [ 3813.847524]  print_address_description+0xa5/0x372
> [ 3813.848243]  kasan_report.cold+0x236/0x2a8
> [ 3813.849439]  check_memory_region+0x240/0x270
> [ 3813.850094]  memcpy+0x30/0x80
> [ 3813.850553]  sg_copy_buffer+0x157/0x1e0
> [ 3813.853032]  sg_copy_from_buffer+0x13/0x20
> [ 3813.853660]  fill_from_dev_buffer+0x135/0x370
> [ 3813.854329]  resp_readcap16+0x1ac/0x280
> [ 3813.856917]  schedule_resp+0x41f/0x1630
> [ 3813.858203]  scsi_debug_queuecommand+0xb32/0x17e0
> [ 3813.862699]  scsi_dispatch_cmd+0x330/0x950
> [ 3813.863329]  scsi_request_fn+0xd8e/0x1710
> [ 3813.863946]  __blk_run_queue+0x10b/0x230
> [ 3813.864544]  blk_execute_rq_nowait+0x1d8/0x400
> [ 3813.865220]  sg_common_write.isra.0+0xe61/0x2420
> [ 3813.871637]  sg_write+0x6c8/0xef0
> [ 3813.878853]  __vfs_write+0xe4/0x800
> [ 3813.883487]  vfs_write+0x17b/0x530
> [ 3813.884008]  ksys_write+0x103/0x270
> [ 3813.886268]  __x64_sys_write+0x77/0xc0
> [ 3813.886841]  do_syscall_64+0x106/0x360
> [ 3813.887415]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> We can reproduce this issue with following syzkaller log:
> r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0)
> r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\x00')
> open_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000)
> r2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782)
> write$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126)
> 
> As in resp_readcap16 we get "int alloc_len" value -1104926854, and then pass
> huge arr_len to fill_from_dev_buffer, but arr is only has 32 bytes space. So
> lead to OOB in sg_copy_buffer.
> To solve this issue just define alloc_len with U32 type.
> 
> Signed-off-by: Ye Bin <yebin10@huawei.com>

Acked-by: Douglas Gilbert <dgilbert@interlog.com>

Thanks.

> ---
>   drivers/scsi/scsi_debug.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> index 66f507469a31..be0440545744 100644
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -1856,7 +1856,7 @@ static int resp_readcap16(struct scsi_cmnd *scp,
>   {
>   	unsigned char *cmd = scp->cmnd;
>   	unsigned char arr[SDEBUG_READCAP16_ARR_SZ];
> -	int alloc_len;
> +	u32 alloc_len;
>   
>   	alloc_len = get_unaligned_be32(cmd + 10);
>   	/* following just in case virtual_gb changed */
> @@ -1885,7 +1885,7 @@ static int resp_readcap16(struct scsi_cmnd *scp,
>   	}
>   
>   	return fill_from_dev_buffer(scp, arr,
> -			    min_t(int, alloc_len, SDEBUG_READCAP16_ARR_SZ));
> +			    min_t(u32, alloc_len, SDEBUG_READCAP16_ARR_SZ));
>   }
>   
>   #define SDEBUG_MAX_TGTPGS_ARR_SZ 1412
> 

Re: [PATCH v2 resend 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs

[Martin K. Petersen]

Ye,

>   scsi:scsi_debug: Fix out-of-bound read in resp_readcap16
>   scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs

Applied to 5.16/scsi-staging, thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering

Re: [PATCH v2 resend 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs

[Martin K. Petersen]

On Wed, 13 Oct 2021 11:39:11 +0800, Ye Bin wrote:

> Ye Bin (2):
>   scsi:scsi_debug: Fix out-of-bound read in resp_readcap16
>   scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs
> 
> drivers/scsi/scsi_debug.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> [...]

Applied to 5.16/scsi-queue, thanks!

[1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16
      https://git.kernel.org/mkp/scsi/c/4e3ace0051e7
[2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs
      https://git.kernel.org/mkp/scsi/c/f347c26836c2

-- 
Martin K. Petersen	Oracle Linux Engineering