Re: [PATCH] SCSI: Fix potential out-of-bounds access in drivers/scsi/sd.c

Paolo Bonzini <pbonzini@xxxxxxxxxx> · Fri, 06 Sep 2013 18:24:11 +0200



Il 06/09/2013 17:49, Alan Stern ha scritto:
> This patch fixes an out-of-bounds error in sd_read_cache_type(), found
> by Google's AddressSanitizer tool.  When the loop ends, we know that
> "offset" lies beyond the end of the data in the buffer, so no Caching
> mode page was found.  In theory it may be present, but the buffer size
> is limited to 512 bytes.
> 
> Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> CC: <stable@xxxxxxxxxxxxxxx>

Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

> 
> ---
> 
> 
> [as1709]
> 
> 
>  drivers/scsi/sd.c |   11 +++--------
>  1 file changed, 3 insertions(+), 8 deletions(-)
> 
> Index: usb-3.11/drivers/scsi/sd.c
> ===================================================================
> --- usb-3.11.orig/drivers/scsi/sd.c
> +++ usb-3.11/drivers/scsi/sd.c
> @@ -2419,14 +2419,9 @@ sd_read_cache_type(struct scsi_disk *sdk
>  			}
>  		}
>  
> -		if (modepage == 0x3F) {
> -			sd_printk(KERN_ERR, sdkp, "No Caching mode page "
> -				  "present\n");
> -			goto defaults;
> -		} else if ((buffer[offset] & 0x3f) != modepage) {
> -			sd_printk(KERN_ERR, sdkp, "Got wrong page\n");
> -			goto defaults;
> -		}
> +		sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n");
> +		goto defaults;
> +
>  	Page_found:
>  		if (modepage == 8) {
>  			sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0);
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html