https://bugzilla.kernel.org/show_bug.cgi?id=60648 Bug ID: 60648 Summary: csiostor/csio_scsi.c: out of bounds access Product: SCSI Drivers Version: 2.5 Kernel Version: 3.11rc2 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Other Assignee: scsi_drivers-other@xxxxxxxxxxxxxxxxxxxx Reporter: mikko.rapeli@xxxxxx Regression: No Coverity id 751478 reports: 1581static inline void 1582csio_scsi_err_handler(struct csio_hw *hw, struct csio_ioreq *req) 1583{ 1584 struct scsi_cmnd *cmnd = (struct scsi_cmnd *)csio_scsi_cmnd(req); 1585 struct csio_scsim *scm = csio_hw_to_scsim(hw); 1586 struct fcp_resp_with_ext *fcp_resp; 1587 struct fcp_resp_rsp_info *rsp_info; 1588 struct csio_dma_buf *dma_buf; 1589 uint8_t flags, scsi_status = 0; 1590 uint32_t host_status = DID_OK; 1591 uint32_t rsp_len = 0, sns_len = 0; 1592 struct csio_rnode *rn = (struct csio_rnode *)(cmnd->device->hostdata); 1593 1594 1. Switch case value "137" 1595 switch (req->wr_status) { 1596 case FW_HOSTERROR: 1597 if (unlikely(!csio_is_hw_ready(hw))) 1598 return; 1599 1600 host_status = DID_ERROR; 1601 CSIO_INC_STATS(scm, n_hosterror); 1602 1603 break; 1604 case FW_SCSI_RSP_ERR: /drivers/net/ethernet/chelsio/cxgb4/t4fw_api.h 69 FW_SCSI_RSP_ERR = 137, /* */ 1605 dma_buf = &req->dma_buf; 1606 fcp_resp = (struct fcp_resp_with_ext *)dma_buf->vaddr; 1607 rsp_info = (struct fcp_resp_rsp_info *)(fcp_resp + 1); 1608 flags = fcp_resp->resp.fr_flags; 1609 scsi_status = fcp_resp->resp.fr_status; 1610 2. Condition "flags & 1", taking true branch 1611 if (flags & FCP_RSP_LEN_VAL) { 3. Condition "0", taking false branch 1612 rsp_len = be32_to_cpu(fcp_resp->ext.fr_rsp_len); 4. Condition "rsp_len != 0", taking true branch 5. cond_at_least: Checking "rsp_len != 0U" implies that the value of "rsp_len" is at least 1 on the true branch. 6. Condition "rsp_len != 4", taking true branch 7. Condition "rsp_len != 8", taking false branch 8. cond_const: Checking "rsp_len != 8U" implies that the value of "rsp_len" is 8 on the false branch. 9. Condition "rsp_info->rsp_code != FCP_TMF_CMPL", taking false branch 1613 if ((rsp_len != 0 && rsp_len != 4 && rsp_len != 8) || 1614 (rsp_info->rsp_code != FCP_TMF_CMPL)) { 1615 host_status = DID_ERROR; 1616 goto out; 1617 } 1618 } 1619 10. Condition "flags & 2", taking true branch 11. Condition "fcp_resp->ext.fr_sns_len", taking true branch 1620 if ((flags & FCP_SNS_LEN_VAL) && fcp_resp->ext.fr_sns_len) { 12. Condition "0", taking false branch 1621 sns_len = be32_to_cpu(fcp_resp->ext.fr_sns_len); 13. Condition "sns_len > 96", taking true branch 1622 if (sns_len > SCSI_SENSE_BUFFERSIZE) 14. assignment: Assigning: "sns_len" = "96U". 1623 sns_len = SCSI_SENSE_BUFFERSIZE; /include/scsi/scsi_cmnd.h 106#define SCSI_SENSE_BUFFERSIZE 96 1624 CID 751478 (#1 of 1): Out-of-bounds access (OVERRUN) 15. overrun-buffer-arg: Overrunning buffer pointed to by "&rsp_info->_fr_resvd[0] + rsp_len" of 3 bytes by passing it to a function which accesses it at byte offset 95 using argument "sns_len" (which evaluates to 96). 1625 memcpy(cmnd->sense_buffer, 1626 &rsp_info->_fr_resvd[0] + rsp_len, sns_len); /include/scsi/fc/fc_fcp.h 157 __u8 _fr_resvd[3]; /* reserved */ 158 __u8 rsp_code; /* Response Info Code */ 159 __u8 _fr_resvd2[4]; /* reserved */ 160}; 1627 CSIO_INC_STATS(scm, n_autosense); 1628 } -- You are receiving this mail because: You are watching the assignee of the bug. -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
