Our memory debug tool captured the following exception: BUG: memory corruption in ses_enclosure_data_process+0x24b/0x310 [ses] ses_enclosure_data_process+0x24b/0x310 [ses] ses_intf_add+0x444/0x542 [ses] class_interface_register+0x110/0x120 ses_init+0x13/0x1000 [ses] do_one_initcall+0x41/0x1c0 do_init_module+0x5c/0x260 __do_sys_finit_module+0xb1/0x110 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The root cause is "desc_ptr[len] = '\0'" makes out-of-bound memory write beyond "buf", so make it within the buffer size. Reported-by: Qingming Su <qingming.su@xxxxxxxxxxxxxxxxx> Signed-off-by: Xunlei Pang <xlpang@xxxxxxxxxxxxxxxxx> --- drivers/scsi/ses.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c index c2afba2a5414..c1ac2e96d25d 100644 --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -544,11 +544,14 @@ static void ses_enclosure_data_process(struct enclosure_device *edev, char *name = NULL; struct enclosure_component *ecomp; + if (desc_ptr + 4 >= buf + page7_len) + desc_ptr = NULL; + if (desc_ptr) { - if (desc_ptr >= buf + page7_len) { + len = (desc_ptr[2] << 8) + desc_ptr[3]; + if (desc_ptr + 4 + len >= buf + page7_len) { desc_ptr = NULL; } else { - len = (desc_ptr[2] << 8) + desc_ptr[3]; desc_ptr += 4; /* Add trailing zero - pushes into * reserved space */ -- 2.20.1.7.g153144c