* [PATCH] scsi: scsi_debug: sanity check block descriptor length in resp_mode_select
@ 2021-11-18 19:03 George Kennedy
2021-11-22 1:36 ` Douglas Gilbert
2021-11-23 3:45 ` Martin K. Petersen
0 siblings, 2 replies; 3+ messages in thread
From: George Kennedy @ 2021-11-18 19:03 UTC (permalink / raw)
To: gregkh, jejb, martin.petersen, dgilbert
Cc: george.kennedy, linux-scsi, linux-kernel
In resp_mode_select() sanity check the block descriptor len to avoid UAF.
BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
Read of size 1 at addr ffff888026670f50 by task scsicmd/15032
CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Call Trace:
<TASK>
dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107
print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257
kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306
resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483
scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537
scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521
blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640
__blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325
blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358
__blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762
__blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839
blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891
blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474
blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63
sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837
sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775
sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941
sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166
__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52
do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50
entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
---
drivers/scsi/scsi_debug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 1d0278d..51e3b57 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -2499,11 +2499,11 @@ static int resp_mode_select(struct scsi_cmnd *scp,
__func__, param_len, res);
md_len = mselect6 ? (arr[0] + 1) : (get_unaligned_be16(arr + 0) + 2);
bd_len = mselect6 ? arr[3] : get_unaligned_be16(arr + 6);
- if (md_len > 2) {
+ off = bd_len + (mselect6 ? 4 : 8);
+ if (md_len > 2 || off >= res) {
mk_sense_invalid_fld(scp, SDEB_IN_DATA, 0, -1);
return check_condition_result;
}
- off = bd_len + (mselect6 ? 4 : 8);
mpage = arr[off] & 0x3f;
ps = !!(arr[off] & 0x80);
if (ps) {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] scsi: scsi_debug: sanity check block descriptor length in resp_mode_select
2021-11-18 19:03 [PATCH] scsi: scsi_debug: sanity check block descriptor length in resp_mode_select George Kennedy
@ 2021-11-22 1:36 ` Douglas Gilbert
2021-11-23 3:45 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Douglas Gilbert @ 2021-11-22 1:36 UTC (permalink / raw)
To: George Kennedy, gregkh, jejb, martin.petersen; +Cc: linux-scsi, linux-kernel
On 2021-11-18 2:03 p.m., George Kennedy wrote:
> In resp_mode_select() sanity check the block descriptor len to avoid UAF.
>
> BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
> Read of size 1 at addr ffff888026670f50 by task scsicmd/15032
>
> CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> Call Trace:
> <TASK>
> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107
> print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257
> kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443
> __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306
> resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
> schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483
> scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537
> scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521
> blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640
> __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325
> blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358
> __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762
> __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839
> blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891
> blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474
> blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63
> sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837
> sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775
> sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941
> sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166
> __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52
> do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50
> entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113
>
> Reported-by: syzkaller <syzkaller@googlegroups.com>
> Signed-off-by: George Kennedy <george.kennedy@oracle.com>
So this patch makes sure we don't read outside the parameter data (at least
for the 0th byte of the mode page) so that is an improvement. It could be
stronger if it took into account the size of the mode page which is copied
inside the following switch.
But I can't see how that leads to use after free from KASAN. Hmm, I suppose
any out-of-bounds read could be reported as a use after free. It would be
useful if KASAN differentiated the two cases.
Anyway, the patch can't hurt.
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
> ---
> drivers/scsi/scsi_debug.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> index 1d0278d..51e3b57 100644
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -2499,11 +2499,11 @@ static int resp_mode_select(struct scsi_cmnd *scp,
> __func__, param_len, res);
> md_len = mselect6 ? (arr[0] + 1) : (get_unaligned_be16(arr + 0) + 2);
> bd_len = mselect6 ? arr[3] : get_unaligned_be16(arr + 6);
> - if (md_len > 2) {
> + off = bd_len + (mselect6 ? 4 : 8);
> + if (md_len > 2 || off >= res) {
> mk_sense_invalid_fld(scp, SDEB_IN_DATA, 0, -1);
> return check_condition_result;
> }
> - off = bd_len + (mselect6 ? 4 : 8);
> mpage = arr[off] & 0x3f;
> ps = !!(arr[off] & 0x80);
> if (ps) {
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] scsi: scsi_debug: sanity check block descriptor length in resp_mode_select
2021-11-18 19:03 [PATCH] scsi: scsi_debug: sanity check block descriptor length in resp_mode_select George Kennedy
2021-11-22 1:36 ` Douglas Gilbert
@ 2021-11-23 3:45 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2021-11-23 3:45 UTC (permalink / raw)
To: gregkh, jejb, George Kennedy, dgilbert
Cc: Martin K . Petersen, linux-scsi, linux-kernel
On Thu, 18 Nov 2021 14:03:28 -0500, George Kennedy wrote:
> In resp_mode_select() sanity check the block descriptor len to avoid UAF.
>
> BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
> Read of size 1 at addr ffff888026670f50 by task scsicmd/15032
>
> CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> Call Trace:
> <TASK>
> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107
> print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257
> kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443
> __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306
> resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
> schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483
> scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537
> scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521
> blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640
> __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325
> blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358
> __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762
> __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839
> blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891
> blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474
> blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63
> sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837
> sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775
> sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941
> sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166
> __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52
> do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50
> entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113
>
> [...]
Applied to 5.16/scsi-fixes, thanks!
[1/1] scsi: scsi_debug: sanity check block descriptor length in resp_mode_select
https://git.kernel.org/mkp/scsi/c/e0a2c28da11e
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-23 3:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-18 19:03 [PATCH] scsi: scsi_debug: sanity check block descriptor length in resp_mode_select George Kennedy
2021-11-22 1:36 ` Douglas Gilbert
2021-11-23 3:45 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).