* [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs
@ 2021-10-09 7:52 Ye Bin
2021-10-09 7:52 ` [PATCH v2 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16 Ye Bin
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Ye Bin @ 2021-10-09 7:52 UTC (permalink / raw)
To: jejb, martin.petersen, linux-scsi, linux-kernel; +Cc: Ye Bin
Ye Bin (2):
scsi:scsi_debug: Fix out-of-bound read in resp_readcap16
scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs
drivers/scsi/scsi_debug.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--
2.31.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16
2021-10-09 7:52 [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Ye Bin
@ 2021-10-09 7:52 ` Ye Bin
2021-10-09 7:52 ` [PATCH v2 2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs Ye Bin
2021-10-12 17:00 ` [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Martin K. Petersen
2 siblings, 0 replies; 4+ messages in thread
From: Ye Bin @ 2021-10-09 7:52 UTC (permalink / raw)
To: jejb, martin.petersen, linux-scsi, linux-kernel; +Cc: Ye Bin
We got following warning when runing syzkaller:
[ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;
[ 3813.830724] program syz-executor not setting count and/or reply_len properly
[ 3813.836956] ==================================================================
[ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0
[ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549
[ 3813.846612] Call Trace:
[ 3813.846995] dump_stack+0x108/0x15f
[ 3813.847524] print_address_description+0xa5/0x372
[ 3813.848243] kasan_report.cold+0x236/0x2a8
[ 3813.849439] check_memory_region+0x240/0x270
[ 3813.850094] memcpy+0x30/0x80
[ 3813.850553] sg_copy_buffer+0x157/0x1e0
[ 3813.853032] sg_copy_from_buffer+0x13/0x20
[ 3813.853660] fill_from_dev_buffer+0x135/0x370
[ 3813.854329] resp_readcap16+0x1ac/0x280
[ 3813.856917] schedule_resp+0x41f/0x1630
[ 3813.858203] scsi_debug_queuecommand+0xb32/0x17e0
[ 3813.862699] scsi_dispatch_cmd+0x330/0x950
[ 3813.863329] scsi_request_fn+0xd8e/0x1710
[ 3813.863946] __blk_run_queue+0x10b/0x230
[ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400
[ 3813.865220] sg_common_write.isra.0+0xe61/0x2420
[ 3813.871637] sg_write+0x6c8/0xef0
[ 3813.878853] __vfs_write+0xe4/0x800
[ 3813.883487] vfs_write+0x17b/0x530
[ 3813.884008] ksys_write+0x103/0x270
[ 3813.886268] __x64_sys_write+0x77/0xc0
[ 3813.886841] do_syscall_64+0x106/0x360
[ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9
We can reproduce this issue with following syzkaller log:
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0)
r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\x00')
open_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000)
r2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782)
write$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126)
As in resp_readcap16 we get "int alloc_len" value -1104926854, and then pass
huge arr_len to fill_from_dev_buffer, but arr is only has 32 bytes space. So
lead to OOB in sg_copy_buffer.
To solve this issue just define alloc_len with U32 type.
Signed-off-by: Ye Bin <yebin10@huawei.com>
---
drivers/scsi/scsi_debug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 66f507469a31..be0440545744 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1856,7 +1856,7 @@ static int resp_readcap16(struct scsi_cmnd *scp,
{
unsigned char *cmd = scp->cmnd;
unsigned char arr[SDEBUG_READCAP16_ARR_SZ];
- int alloc_len;
+ u32 alloc_len;
alloc_len = get_unaligned_be32(cmd + 10);
/* following just in case virtual_gb changed */
@@ -1885,7 +1885,7 @@ static int resp_readcap16(struct scsi_cmnd *scp,
}
return fill_from_dev_buffer(scp, arr,
- min_t(int, alloc_len, SDEBUG_READCAP16_ARR_SZ));
+ min_t(u32, alloc_len, SDEBUG_READCAP16_ARR_SZ));
}
#define SDEBUG_MAX_TGTPGS_ARR_SZ 1412
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs
2021-10-09 7:52 [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Ye Bin
2021-10-09 7:52 ` [PATCH v2 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16 Ye Bin
@ 2021-10-09 7:52 ` Ye Bin
2021-10-12 17:00 ` [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Martin K. Petersen
2 siblings, 0 replies; 4+ messages in thread
From: Ye Bin @ 2021-10-09 7:52 UTC (permalink / raw)
To: jejb, martin.petersen, linux-scsi, linux-kernel; +Cc: Ye Bin
We got follow issue when run syzkaller:
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815
CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xe4/0x14a lib/dump_stack.c:118
print_address_description+0x73/0x280 mm/kasan/report.c:253
kasan_report_error mm/kasan/report.c:352 [inline]
kasan_report+0x272/0x370 mm/kasan/report.c:410
memcpy+0x1f/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:377 [inline]
sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021
resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772
schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429
scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835
scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896
scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034
__blk_run_queue_uncond block/blk-core.c:464 [inline]
__blk_run_queue+0x1a4/0x380 block/blk-core.c:484
blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78
sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847
sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716
sg_write+0x64/0xa0 drivers/scsi/sg.c:622
__vfs_write+0xed/0x690 fs/read_write.c:485
kill_bdev:block_device:00000000e138492c
vfs_write+0x184/0x4c0 fs/read_write.c:549
ksys_write+0x107/0x240 fs/read_write.c:599
do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
As with previous patch, we get 'alen' from command, and 'alen''s type is
int, If userspace pass large length we will get negative 'alen'.
So just set 'n'/'alen'/'rlen' with u32 type.
Signed-off-by: Ye Bin <yebin10@huawei.com>
---
drivers/scsi/scsi_debug.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index be0440545744..ead65cdfb522 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1896,8 +1896,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
unsigned char *cmd = scp->cmnd;
unsigned char *arr;
int host_no = devip->sdbg_host->shost->host_no;
- int n, ret, alen, rlen;
int port_group_a, port_group_b, port_a, port_b;
+ u32 alen, n, rlen;
+ int ret;
alen = get_unaligned_be32(cmd + 6);
arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_ATOMIC);
@@ -1959,9 +1960,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
* - The constructed command length
* - The maximum array size
*/
- rlen = min_t(int, alen, n);
+ rlen = min(alen, n);
ret = fill_from_dev_buffer(scp, arr,
- min_t(int, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
+ min_t(u32, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
kfree(arr);
return ret;
}
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs
2021-10-09 7:52 [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Ye Bin
2021-10-09 7:52 ` [PATCH v2 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16 Ye Bin
2021-10-09 7:52 ` [PATCH v2 2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs Ye Bin
@ 2021-10-12 17:00 ` Martin K. Petersen
2 siblings, 0 replies; 4+ messages in thread
From: Martin K. Petersen @ 2021-10-12 17:00 UTC (permalink / raw)
To: Ye Bin; +Cc: jejb, martin.petersen, linux-scsi, linux-kernel
Ye,
> scsi:scsi_debug: Fix out-of-bound read in resp_readcap16
> scsi:scsi_debug: Fix out-of-bound read in resp_report_tgtpgs
Please CC: Doug Gilbert on scsi_debug patches.
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-10-12 17:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-09 7:52 [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Ye Bin
2021-10-09 7:52 ` [PATCH v2 1/2] scsi:scsi_debug: Fix out-of-bound read in resp_readcap16 Ye Bin
2021-10-09 7:52 ` [PATCH v2 2/2] scsi:scsi_debug:Fix out-of-bound read in resp_report_tgtpgs Ye Bin
2021-10-12 17:00 ` [PATCH v2 0/2] Fix out-of-bound read in resp_readcap16 and resp_report_tgtpgs Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).