From: starmiku1207184332@gmail.com
To: njavali@marvell.com, mrangankar@marvell.com, jejb@linux.ibm.com,
martin.petersen@oracle.com
Cc: GR-QLogic-Storage-Upstream@marvell.com,
linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
baijiaju1990@gmail.com, Teng Qi <starmiku120718432@gmail.com>,
TOTE Robot <oslab@tsinghua.edu.cn>
Subject: [PATCH] scsi: qla4xxx: Fix a buffer overflow in qla4xxx_free_ddb()
Date: Fri, 27 Aug 2021 17:26:43 +0800 [thread overview]
Message-ID: <20210827092643.273357-1-starmiku1207184332@gmail.com> (raw)
From: Teng Qi <starmiku120718432@gmail.com>
Function qla4xxx_session_destroy(), function qla4xxx_get_fwddb_entry() and
function qla4xxx_free_ddb() are corresponding this buffer overflow.
Function qla4xxx_session_destroy() firstly calls function
qla4xxx_get_fwddb_entry(), and secondly calls function qla4xxx_free_ddb().
In functon qla4xxx_session_destroy(), the function qla4xxx_get_fwddb_entry() is
called with ddb_entry->fw_ddb_index being passed to formal parameter
fw_ddb_index.
ret = qla4xxx_get_fwddb_entry(ha, ddb_entry->fw_ddb_index,
fw_ddb_entry, fw_ddb_entry_dma,
NULL, NULL, &ddb_state, NULL,
NULL, NULL);
In qla4xxx_get_fwddb_entry(), fw_ddb_index is checked in:
if (fw_ddb_index >= MAX_DDB_ENTRIES)
This indicates fw_ddb_index could be greater than or equal to MAX_DDB_ENTRIES,
and ddb_entry->fw_ddb_index could be also greater than or equal to
MAX_DDB_ENTRIES.
If so, the qla4xxx_get_fwddb_entry() will return QLA_ERROR.
After return, the program goes to the label destory_seession.
Then the function qla4xxx_free_ddb() is called with argument ddb_entry.
In qla4xxx_free_ddb(), ddb_entry->fw_ddb_index is used as index.
ha->fw_ddb_index_map[ddb_entry->fw_ddb_index] =
(struct ddb_entry *) INVALID_ENTRY;
However, the size of ha->fw_ddb_index_map is MAX_DDB_ENTRIES, which can cause
a buffer overflow.
To fix this possible buffer overflow, ddb_entry->fw_ddb_index should be
checked first.
If ddb_entry->fw_ddb_index is greater than or equal to MAX_DDB_ENTRIES, the
function qla4xxx_free_ddb() returns.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Teng Qi <starmiku120718432@gmail.com>
---
drivers/scsi/qla4xxx/ql4_init.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/qla4xxx/ql4_init.c b/drivers/scsi/qla4xxx/ql4_init.c
index f786ac2f5548..e5b2161e59ed 100644
--- a/drivers/scsi/qla4xxx/ql4_init.c
+++ b/drivers/scsi/qla4xxx/ql4_init.c
@@ -47,6 +47,8 @@ static void ql4xxx_set_mac_number(struct scsi_qla_host *ha)
void qla4xxx_free_ddb(struct scsi_qla_host *ha,
struct ddb_entry *ddb_entry)
{
+ if (ddb_entry->fw_ddb_index >= MAX_DDB_ENTRIES)
+ return;
/* Remove device pointer from index mapping arrays */
ha->fw_ddb_index_map[ddb_entry->fw_ddb_index] =
(struct ddb_entry *) INVALID_ENTRY;
--
2.25.1
reply other threads:[~2021-08-27 9:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210827092643.273357-1-starmiku1207184332@gmail.com \
--to=starmiku1207184332@gmail.com \
--cc=GR-QLogic-Storage-Upstream@marvell.com \
--cc=baijiaju1990@gmail.com \
--cc=jejb@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mrangankar@marvell.com \
--cc=njavali@marvell.com \
--cc=oslab@tsinghua.edu.cn \
--cc=starmiku120718432@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).