Patch "staging: rts5208: Fix get_ms_information() heap buffer size" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 16 Sep 2021 08:06:31 -0400

This is a note to let you know that I've just added the patch titled

    staging: rts5208: Fix get_ms_information() heap buffer size

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     staging-rts5208-fix-get_ms_information-heap-buffer-s.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 46de7e8ac114c269f33a2355d0f42df37f82311b
Author: Kees Cook <keescook@xxxxxxxxxxxx>
Date:   Tue Aug 17 21:42:52 2021 -0700

    staging: rts5208: Fix get_ms_information() heap buffer size
    
    [ Upstream commit cbe34165cc1b7d1110b268ba8b9f30843c941639 ]
    
    Fix buf allocation size (it needs to be 2 bytes larger). Found when
    __alloc_size() annotations were added to kmalloc() interfaces.
    
    In file included from ./include/linux/string.h:253,
                     from ./include/linux/bitmap.h:10,
                     from ./include/linux/cpumask.h:12,
                     from ./arch/x86/include/asm/paravirt.h:17,
                     from ./arch/x86/include/asm/irqflags.h:63,
                     from ./include/linux/irqflags.h:16,
                     from ./include/linux/rcupdate.h:26,
                     from ./include/linux/rculist.h:11,
                     from ./include/linux/pid.h:5,
                     from ./include/linux/sched.h:14,
                     from ./include/linux/blkdev.h:5,
                     from drivers/staging/rts5208/rtsx_scsi.c:12:
    In function 'get_ms_information',
        inlined from 'ms_sp_cmnd' at drivers/staging/rts5208/rtsx_scsi.c:2877:12,
        inlined from 'rtsx_scsi_handler' at drivers/staging/rts5208/rtsx_scsi.c:3247:12:
    ./include/linux/fortify-string.h:54:29: warning: '__builtin_memcpy' forming offset [106, 107] is out
     of the bounds [0, 106] [-Warray-bounds]
       54 | #define __underlying_memcpy __builtin_memcpy
          |                             ^
    ./include/linux/fortify-string.h:417:2: note: in expansion of macro '__underlying_memcpy'
      417 |  __underlying_##op(p, q, __fortify_size);   \
          |  ^~~~~~~~~~~~~
    ./include/linux/fortify-string.h:463:26: note: in expansion of macro '__fortify_memcpy_chk'
      463 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,   \
          |                          ^~~~~~~~~~~~~~~~~~~~
    drivers/staging/rts5208/rtsx_scsi.c:2851:3: note: in expansion of macro 'memcpy'
     2851 |   memcpy(buf + i, ms_card->raw_sys_info, 96);
          |   ^~~~~~
    
    Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Cc: linux-staging@xxxxxxxxxxxxxxx
    Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20210818044252.1533634-1-keescook@xxxxxxxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/staging/rts5208/rtsx_scsi.c b/drivers/staging/rts5208/rtsx_scsi.c
index c9a6d97938f6..68889d082c3c 100644
--- a/drivers/staging/rts5208/rtsx_scsi.c
+++ b/drivers/staging/rts5208/rtsx_scsi.c
@@ -2841,10 +2841,10 @@ static int get_ms_information(struct scsi_cmnd *srb, struct rtsx_chip *chip)
 	}
 
 	if (dev_info_id == 0x15) {
-		buf_len = 0x3A;
+		buf_len = 0x3C;
 		data_len = 0x3A;
 	} else {
-		buf_len = 0x6A;
+		buf_len = 0x6C;
 		data_len = 0x6A;
 	}
 
@@ -2895,11 +2895,7 @@ static int get_ms_information(struct scsi_cmnd *srb, struct rtsx_chip *chip)
 	}
 
 	rtsx_stor_set_xfer_buf(buf, buf_len, srb);
-
-	if (dev_info_id == 0x15)
-		scsi_set_resid(srb, scsi_bufflen(srb) - 0x3C);
-	else
-		scsi_set_resid(srb, scsi_bufflen(srb) - 0x6C);
+	scsi_set_resid(srb, scsi_bufflen(srb) - buf_len);
 
 	kfree(buf);
 	return STATUS_SUCCESS;






