From: Yu Kuai <yukuai1@huaweicloud.com>
To: jejb@linux.ibm.com, martin.petersen@oracle.com
Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
yukuai3@huawei.com, zhangwensheng5@huawei.com,
yi.zhang@huawei.com
Subject: [PATCH -next] [RFC] scsi: ses: fix slab-out-of-bounds in ses_enclosure_data_process
Date: Wed, 13 Jul 2022 17:45:48 +0800 [thread overview]
Message-ID: <20220713094548.3958915-1-yukuai1@huaweicloud.com> (raw)
From: Zhang Wensheng <zhangwensheng5@huawei.com>
Kasan report a bug like below:
[ 494.865170] ==================================================================
[ 494.901335] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x234/0x6f0 [ses]
[ 494.901347] Write of size 1 at addr ffff8882f3181a70 by task systemd-udevd/1704
[ 494.931929] i801_smbus 0000:00:1f.4: SPD Write Disable is set
[ 494.944092] CPU: 12 PID: 1704 Comm: systemd-udevd Tainted: G
[ 494.944101] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 7.01 11/13/2019
[ 494.964003] i801_smbus 0000:00:1f.4: SMBus using PCI interrupt
[ 494.978532] Call Trace:
[ 494.978544] dump_stack+0xbe/0xf9
[ 494.978558] print_address_description.constprop.0+0x19/0x130
[ 495.092838] ? ses_enclosure_data_process+0x234/0x6f0 [ses]
[ 495.092846] __kasan_report.cold+0x68/0x80
[ 495.092855] ? __kasan_kmalloc.constprop.0+0x71/0xd0
[ 495.092862] ? ses_enclosure_data_process+0x234/0x6f0 [ses]
[ 495.092868] kasan_report+0x3a/0x50
[ 495.092875] ses_enclosure_data_process+0x234/0x6f0 [ses]
[ 495.092882] ? mutex_unlock+0x1d/0x40
[ 495.092889] ses_intf_add+0x57f/0x910 [ses]
[ 495.092900] class_interface_register+0x26d/0x290
[ 495.092906] ? class_destroy+0xd0/0xd0
[ 495.092912] ? 0xffffffffc0bf8000
[ 495.092919] ses_init+0x18/0x1000 [ses]
[ 495.092927] do_one_initcall+0xcb/0x370
[ 495.092934] ? initcall_blacklisted+0x1b0/0x1b0
[ 495.092942] ? create_object.isra.0+0x330/0x3a0
[ 495.092950] ? kasan_unpoison_shadow+0x33/0x40
[ 495.092957] ? kasan_unpoison_shadow+0x33/0x40
[ 495.092966] do_init_module+0xe4/0x3a0
[ 495.092972] load_module+0xd0a/0xdd0
[ 495.092980] ? layout_and_allocate+0x300/0x300
[ 495.092989] ? seccomp_run_filters+0x1d6/0x2c0
[ 495.092999] ? kernel_read_file_from_fd+0xb3/0xe0
[ 495.093006] __se_sys_finit_module+0x11b/0x1b0
[ 495.093012] ? __ia32_sys_init_module+0x40/0x40
[ 495.093023] ? __audit_syscall_entry+0x226/0x290
[ 495.093032] do_syscall_64+0x33/0x40
[ 495.093041] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 495.093046] RIP: 0033:0x7f39c3376089
[ 495.093054] Code: 00 48 81 c4 80 00 00 00 89 f0 c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e7 dd 0b 00 f7 d8 64 89 01 48
[ 495.093058] RSP: 002b:00007ffdc6009e18 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 495.093068] RAX: ffffffffffffffda RBX: 000055d4192801c0 RCX: 00007f39c3376089
[ 495.093072] RDX: 0000000000000000 RSI: 00007f39c2fae99d RDI: 000000000000000f
[ 495.093076] RBP: 00007f39c2fae99d R08: 0000000000000000 R09: 0000000000000001
[ 495.093080] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000000
[ 495.093084] R13: 000055d419282e00 R14: 0000000000020000 R15: 000055d41927f1f0
[ 495.093091] Allocated by task 1704:
[ 495.093098] kasan_save_stack+0x1b/0x40
[ 495.093105] __kasan_kmalloc.constprop.0+0xc2/0xd0
[ 495.093111] ses_enclosure_data_process+0x65d/0x6f0 [ses]
[ 495.093117] ses_intf_add+0x57f/0x910 [ses]
[ 495.093123] class_interface_register+0x26d/0x290
[ 495.093129] ses_init+0x18/0x1000 [ses]
[ 495.093134] do_one_initcall+0xcb/0x370
[ 495.093139] do_init_module+0xe4/0x3a0
[ 495.093144] load_module+0xd0a/0xdd0
[ 495.093150] __se_sys_finit_module+0x11b/0x1b0
[ 495.093155] do_syscall_64+0x33/0x40
[ 495.093162] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 495.093168] The buggy address belongs to the object at ffff8882f3181a40
which belongs to the cache kmalloc-64 of size 64
[ 495.093173] The buggy address is located 48 bytes inside of
64-byte region [ffff8882f3181a40, ffff8882f3181a80)
[ 495.093175] The buggy address belongs to the page:
[ 495.093181] page:ffffea000bcc6000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2f3180
[ 495.093186] head:ffffea000bcc6000 order:2 compound_mapcount:0 compound_pincount:0
[ 495.093194] flags: 0x17ffe0000010200(slab|head|node=0|zone=2|lastcpupid=0x3fff)
[ 495.093204] raw: 017ffe0000010200 ffffea0016e5fb08 ffffea0016921508 ffff888100050e00
[ 495.093211] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
[ 495.093213] page dumped because: kasan: bad access detected
[ 495.093216] Memory state around the buggy address:
[ 495.093222] ffff8882f3181900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 495.093227] ffff8882f3181980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 495.093231] >ffff8882f3181a00: fc fc fc fc fc fc fc fc 00 00 00 00 01 fc fc fc
[ 495.093234] ^
[ 495.093239] ffff8882f3181a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 495.093244] ffff8882f3181b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 495.093246] ==================================================================
After analysis on vmcore, it was found that the line "desc_ptr[len] =
'\0';" has slab-out-of-bounds problem in ses_enclosure_data_process.
In ses_enclosure_data_process, "desc_ptr" point to "buf", so it have
to be limited in the memory of "buf", however. although there is
"desc_ptr >= buf + page7_len" judgment, it does not work because
"desc_ptr + 4 + len" may bigger than "buf + page7_len", which will
lead to slab-out-of-bounds problem.
Fix it by using judging desc_ptr cross the border or not after
"desc_ptr += 4".
Signed-off-by: Zhang Wensheng <zhangwensheng5@huawei.com>
---
drivers/scsi/ses.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 0a1734f34587..981e6e950adc 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -559,11 +559,11 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
struct enclosure_component *ecomp;
if (desc_ptr) {
+ len = (desc_ptr[2] << 8) + desc_ptr[3];
+ desc_ptr += 4;
if (desc_ptr >= buf + page7_len) {
desc_ptr = NULL;
} else {
- len = (desc_ptr[2] << 8) + desc_ptr[3];
- desc_ptr += 4;
/* Add trailing zero - pushes into
* reserved space */
desc_ptr[len] = '\0';
--
2.31.1
next reply other threads:[~2022-07-13 9:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-13 9:45 Yu Kuai [this message]
2022-08-02 0:01 ` [PATCH -next] [RFC] scsi: ses: fix slab-out-of-bounds in ses_enclosure_data_process Martin K. Petersen
2022-08-02 1:19 ` zhangwensheng (E)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220713094548.3958915-1-yukuai1@huaweicloud.com \
--to=yukuai1@huaweicloud.com \
--cc=jejb@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=yi.zhang@huawei.com \
--cc=yukuai3@huawei.com \
--cc=zhangwensheng5@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.