[PATCH] scsi: sr: fix oob access in get_capabilities

From: Kefeng Wang
Date: Fri Mar 03 2017 - 05:25:21 EST

Next message: Elena Reshetova: "[PATCH 1/2] fs, ceph: convert ceph_mds_session.s_ref from atomic_t to refcount_t"
Previous message: Rob Herring: "Re: [PATCH v3 1/6] dt-bindings: iio: introduce trigger providers, consumers"
Next in thread: Kefeng Wang: "Re: [PATCH] scsi: sr: fix oob access in get_capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

'n = header_length + block_descriptor_length' could be greater than 512,
and will lead to oob access, so enlarge transfer buffer to fix it.

===
BUG: KASAN: slab-out-of-bounds in sr_probe+0x570/0xcc0 at addr ffff88000009020e
Read of size 1 by task kworker/u48:2/188

Signed-off-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
---
drivers/scsi/sr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
index 0b29b93..5a80aa6 100644
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -852,7 +852,7 @@ static void get_capabilities(struct scsi_cd *cd)

/* allocate transfer buffer */
- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
+ buffer = kmalloc(1024, GFP_KERNEL | GFP_DMA);
if (!buffer) {
sr_printk(KERN_ERR, cd, "out of memory.\n");
return;
--
1.7.12.4

Next message: Elena Reshetova: "[PATCH 1/2] fs, ceph: convert ceph_mds_session.s_ref from atomic_t to refcount_t"
Previous message: Rob Herring: "Re: [PATCH v3 1/6] dt-bindings: iio: introduce trigger providers, consumers"
Next in thread: Kefeng Wang: "Re: [PATCH] scsi: sr: fix oob access in get_capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]