Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process
From: Ewan D. Milne
Date: Mon Mar 18 2019 - 11:22:39 EST
On Mon, 2019-03-18 at 01:01 -0400, Martin K. Petersen wrote:
> Jianchao,
>
> > When our customer probe the lpfc devices, they encountered odd memory
> > corruption issues, and we get 'out of bound' access warning at
> > following position after open KASAN
>
> Please provide the output of:
>
> # sg_ses -p 1 /dev/sgN
> # sg_ses -p 7 /dev/sgN
>
> for the enclosure device in question.
>
The ses driver is allocating kernel buffers based upon the size
reported by RECEIVE DIAGNOSTIC commands, and is iterating through
them based on sizes in the individual descriptors. It appears to
be vulnerable to incorrect data from the device causing out-of-bounds
memory access, because the for() test does not prevent the use of
the pointer in subsequent code, e.g.:
for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
types += type_ptr[2];
type_ptr += type_ptr[3] + 4;
}
ses_dev->page1_types = type_ptr;
ses_dev->page1_num_types = types;
Whether or not this is the current problem, it's wrong.
-Ewan