From: Jia-Ju Bai <baijiaju1990@gmail.com>
To: linuxdrivers@attotech.com, jejb@linux.ibm.com,
martin.petersen@oracle.com
Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
Jia-Ju Bai <baijiaju1990@gmail.com>
Subject: [PATCH] scsi: esas2r: reduce the risk of a possible buffer-overflow vulnerability caused by DMA failures/attacks in esas2r_process_vda_ioctl()
Date: Tue, 5 May 2020 01:24:12 +0800 [thread overview]
Message-ID: <20200504172412.25985-1-baijiaju1990@gmail.com> (raw)
The function esas2r_read_vda() uses a DMA value "vi":
struct atto_ioctl_vda *vi =
(struct atto_ioctl_vda *)a->vda_buffer;
Then esas2r_read_vda() calls esas2r_process_vda_ioctl() with vi:
esas2r_process_vda_ioctl(a, vi, rq, &sgc);
In esas2r_process_vda_ioctl(), the DMA value "vi->function" is
used at many places, such as:
if (vi->function >= vercnt)
...
if (vi->version > esas2r_vdaioctl_versions[vi->function])
...
However, when DMA failures or attacks occur, the value of vi->function
can be changed at any time. In this case, vi->function can be
first smaller than vercnt, and then it can be larger than vercnt when it
is used as the array index of esas2r_vdaioctl_versions, causing a
buffer-overflow vulnerability.
To avoid the risk of this vulnerability, vi->function is assigned to a
non-DMA local variable at the beginning of esas2r_process_vda_ioctl(),
and this variable replaces each use of vi->function in the function.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
drivers/scsi/esas2r/esas2r_vda.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/esas2r/esas2r_vda.c b/drivers/scsi/esas2r/esas2r_vda.c
index 30028e56df63..c3a6811145cf 100644
--- a/drivers/scsi/esas2r/esas2r_vda.c
+++ b/drivers/scsi/esas2r/esas2r_vda.c
@@ -70,16 +70,17 @@ bool esas2r_process_vda_ioctl(struct esas2r_adapter *a,
u32 datalen = 0;
struct atto_vda_sge *firstsg = NULL;
u8 vercnt = (u8)ARRAY_SIZE(esas2r_vdaioctl_versions);
+ u8 function = vi->function;
vi->status = ATTO_STS_SUCCESS;
vi->vda_status = RS_PENDING;
- if (vi->function >= vercnt) {
+ if (function >= vercnt) {
vi->status = ATTO_STS_INV_FUNC;
return false;
}
- if (vi->version > esas2r_vdaioctl_versions[vi->function]) {
+ if (vi->version > esas2r_vdaioctl_versions[function]) {
vi->status = ATTO_STS_INV_VERSION;
return false;
}
@@ -89,14 +90,14 @@ bool esas2r_process_vda_ioctl(struct esas2r_adapter *a,
return false;
}
- if (vi->function != VDA_FUNC_SCSI)
+ if (function != VDA_FUNC_SCSI)
clear_vda_request(rq);
- rq->vrq->scsi.function = vi->function;
+ rq->vrq->scsi.function = function;
rq->interrupt_cb = esas2r_complete_vda_ioctl;
rq->interrupt_cx = vi;
- switch (vi->function) {
+ switch (function) {
case VDA_FUNC_FLASH:
if (vi->cmd.flash.sub_func != VDA_FLASH_FREAD
--
2.17.1
reply other threads:[~2020-05-04 17:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200504172412.25985-1-baijiaju1990@gmail.com \
--to=baijiaju1990@gmail.com \
--cc=jejb@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=linuxdrivers@attotech.com \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).