Hi
From my description, there is still loophole in the previous changes.
can you make a test with the following changes?
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 0a1734f34587..06b991e27c84 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -559,11 +559,11 @@ static void ses_enclosure_data_process(struct
enclosure_device *edev,
struct enclosure_component *ecomp;
if (desc_ptr) {
- if (desc_ptr >= buf + page7_len) {
+ len = (desc_ptr[2] << 8) + desc_ptr[3];
+ desc_ptr += 4;
+ if (desc_ptr + len > buf + page7_len) {
desc_ptr = NULL;
} else {
- len = (desc_ptr[2] << 8) +
desc_ptr[3];
- desc_ptr += 4;
/* Add trailing zero - pushes into
* reserved space */
desc_ptr[len] = '\0';
thanks!
Wensheng
在 2022/8/2 8:01, Martin K. Petersen 写道:
After analysis on vmcore, it was found that the line "desc_ptr[len] =
'\0';" has slab-out-of-bounds problem in ses_enclosure_data_process.
In ses_enclosure_data_process, "desc_ptr" point to "buf", so it have
to be limited in the memory of "buf", however. although there is
"desc_ptr >= buf + page7_len" judgment, it does not work because
"desc_ptr + 4 + len" may bigger than "buf + page7_len", which will
lead to slab-out-of-bounds problem.
Fix it by using judging desc_ptr cross the border or not after
"desc_ptr += 4".
FWIW, I tested this change and I am still getting KASAN errors from ses.
