From: starmiku1207184332@gmail.com
To: njavali@marvell.com, mrangankar@marvell.com, jejb@linux.ibm.com,
martin.petersen@oracle.com
Cc: GR-QLogic-Storage-Upstream@marvell.com,
linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
baijiaju1990@gmail.com, Teng Qi <starmiku120718432@gmail.com>,
TOTE Robot <oslab@tsinghua.edu.cn>
Subject: [PATCH] scsi: qla4xxx: Fix a buffer overflow in qla4xxx_free_ddb()
Date: Fri, 27 Aug 2021 17:26:43 +0800 [thread overview]
Message-ID: <20210827092643.273357-1-starmiku1207184332@gmail.com> (raw)
From: Teng Qi <starmiku120718432@gmail.com>
Function qla4xxx_session_destroy(), function qla4xxx_get_fwddb_entry() and
function qla4xxx_free_ddb() are corresponding this buffer overflow.
Function qla4xxx_session_destroy() firstly calls function
qla4xxx_get_fwddb_entry(), and secondly calls function qla4xxx_free_ddb().
In functon qla4xxx_session_destroy(), the function qla4xxx_get_fwddb_entry() is
called with ddb_entry->fw_ddb_index being passed to formal parameter
fw_ddb_index.
ret = qla4xxx_get_fwddb_entry(ha, ddb_entry->fw_ddb_index,
fw_ddb_entry, fw_ddb_entry_dma,
NULL, NULL, &ddb_state, NULL,
NULL, NULL);
In qla4xxx_get_fwddb_entry(), fw_ddb_index is checked in:
if (fw_ddb_index >= MAX_DDB_ENTRIES)
This indicates fw_ddb_index could be greater than or equal to MAX_DDB_ENTRIES,
and ddb_entry->fw_ddb_index could be also greater than or equal to
MAX_DDB_ENTRIES.
If so, the qla4xxx_get_fwddb_entry() will return QLA_ERROR.
After return, the program goes to the label destory_seession.
Then the function qla4xxx_free_ddb() is called with argument ddb_entry.
In qla4xxx_free_ddb(), ddb_entry->fw_ddb_index is used as index.
ha->fw_ddb_index_map[ddb_entry->fw_ddb_index] =
(struct ddb_entry *) INVALID_ENTRY;
However, the size of ha->fw_ddb_index_map is MAX_DDB_ENTRIES, which can cause
a buffer overflow.
To fix this possible buffer overflow, ddb_entry->fw_ddb_index should be
checked first.
If ddb_entry->fw_ddb_index is greater than or equal to MAX_DDB_ENTRIES, the
function qla4xxx_free_ddb() returns.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Teng Qi <starmiku120718432@gmail.com>
---
drivers/scsi/qla4xxx/ql4_init.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/qla4xxx/ql4_init.c b/drivers/scsi/qla4xxx/ql4_init.c
index f786ac2f5548..e5b2161e59ed 100644
--- a/drivers/scsi/qla4xxx/ql4_init.c
+++ b/drivers/scsi/qla4xxx/ql4_init.c
@@ -47,6 +47,8 @@ static void ql4xxx_set_mac_number(struct scsi_qla_host *ha)
void qla4xxx_free_ddb(struct scsi_qla_host *ha,
struct ddb_entry *ddb_entry)
{
+ if (ddb_entry->fw_ddb_index >= MAX_DDB_ENTRIES)
+ return;
/* Remove device pointer from index mapping arrays */
ha->fw_ddb_index_map[ddb_entry->fw_ddb_index] =
(struct ddb_entry *) INVALID_ENTRY;
--
2.25.1
reply other threads:[~2021-08-27 9:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210827092643.273357-1-starmiku1207184332@gmail.com \
--to=starmiku1207184332@gmail.com \
--cc=GR-QLogic-Storage-Upstream@marvell.com \
--cc=baijiaju1990@gmail.com \
--cc=jejb@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mrangankar@marvell.com \
--cc=njavali@marvell.com \
--cc=oslab@tsinghua.edu.cn \
--cc=starmiku120718432@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.