Our memory debug tool captured the following exception:
BUG: memory corruption in ses_enclosure_data_process+0x24b/0x310 [ses]
ses_enclosure_data_process+0x24b/0x310 [ses]
ses_intf_add+0x444/0x542 [ses]
class_interface_register+0x110/0x120
ses_init+0x13/0x1000 [ses]
do_one_initcall+0x41/0x1c0
do_init_module+0x5c/0x260
__do_sys_finit_module+0xb1/0x110
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The root cause is "desc_ptr[len] = '\0'" makes out-of-bound
memory write beyond "buf", so make it within the buffer size.
Reported-by: Qingming Su <qingming.su@xxxxxxxxxxxxxxxxx>
Signed-off-by: Xunlei Pang <xlpang@xxxxxxxxxxxxxxxxx>
---
drivers/scsi/ses.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index c2afba2a5414..c1ac2e96d25d 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -544,11 +544,14 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
char *name = NULL;
struct enclosure_component *ecomp;
+ if (desc_ptr + 4 >= buf + page7_len)
+ desc_ptr = NULL;
+
if (desc_ptr) {
- if (desc_ptr >= buf + page7_len) {
+ len = (desc_ptr[2] << 8) + desc_ptr[3];
+ if (desc_ptr + 4 + len >= buf + page7_len) {
desc_ptr = NULL;
} else {
- len = (desc_ptr[2] << 8) + desc_ptr[3];
desc_ptr += 4;
/* Add trailing zero - pushes into
* reserved space */
--
2.20.1.7.g153144c
