[PATCH 1/2] scsi: ses: Fix slab-out-of-bounds in ses_get_power_status()

[Ding Hui <dinghui@xxxxxxxxxxxxxx>]

From: Zhu Wei <zhuwei@xxxxxxxxxxxxxx>

A fix for:

BUG: KASAN: slab-out-of-bounds in ses_get_power_status+0x178/0x1a8 [ses]
Read of size 1 at addr ffffa5e3f9466a2b by task grep/102588
Call trace:
 ses_get_power_status+0x178/0x1a8 [ses]
 get_component_power_status+0x94/0x1f0 [enclosure]
 dev_attr_show+0x5c/0xc8
 sysfs_kf_seq_show+0x1b0/0x350
 kernfs_seq_show+0x10c/0x160
 seq_read+0x250/0xe28

If the page2 buffer is less than the number of elements indicated by page1,
that will cause desc_ptr to point to out-of-bounds.

The report occurs when we read sg power_status which iscsi target is a Dell
PowerVault MD3200i storage server.

Signed-off-by: Zhu Wei <zhuwei@xxxxxxxxxxxxxx>
Signed-off-by: Ding Hui <dinghui@xxxxxxxxxxxxxx>
---
 drivers/scsi/ses.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index d7d0c35c58b8..2a404e51b6db 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -165,6 +165,8 @@ static int ses_set_page2_descriptor(struct enclosure_device *edev,
 	for (i = 0; i < ses_dev->page1_num_types; i++, type_ptr += 4) {
 		for (j = 0; j < type_ptr[1]; j++) {
 			desc_ptr += 4;
+			if (desc_ptr - ses_dev->page2 + 4 > ses_dev->page2_len)
+				break;
 			if (type_ptr[0] != ENCLOSURE_COMPONENT_DEVICE &&
 			    type_ptr[0] != ENCLOSURE_COMPONENT_ARRAY_DEVICE)
 				continue;
@@ -196,6 +198,8 @@ static unsigned char *ses_get_page2_descriptor(struct enclosure_device *edev,
 	for (i = 0; i < ses_dev->page1_num_types; i++, type_ptr += 4) {
 		for (j = 0; j < type_ptr[1]; j++) {
 			desc_ptr += 4;
+			if (desc_ptr - ses_dev->page2 + 4 > ses_dev->page2_len)
+				return NULL;
 			if (type_ptr[0] != ENCLOSURE_COMPONENT_DEVICE &&
 			    type_ptr[0] != ENCLOSURE_COMPONENT_ARRAY_DEVICE)
 				continue;
-- 
2.17.1