This is a note to let you know that I've just added the patch titled scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses to the 6.2-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch and it can be found in the queue-6.2 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From db95d4df71cb55506425b6e4a5f8d68e3a765b63 Mon Sep 17 00:00:00 2001 From: Tomas Henzl <thenzl@xxxxxxxxxx> Date: Thu, 2 Feb 2023 17:24:49 +0100 Subject: scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses From: Tomas Henzl <thenzl@xxxxxxxxxx> commit db95d4df71cb55506425b6e4a5f8d68e3a765b63 upstream. Sanitize possible addl_desc_ptr out-of-bounds accesses in ses_enclosure_data_process(). Link: https://lore.kernel.org/r/20230202162451.15346-3-thenzl@xxxxxxxxxx Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Tomas Henzl <thenzl@xxxxxxxxxx> Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/scsi/ses.c | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -433,8 +433,8 @@ int ses_match_host(struct enclosure_devi } #endif /* 0 */ -static void ses_process_descriptor(struct enclosure_component *ecomp, - unsigned char *desc) +static int ses_process_descriptor(struct enclosure_component *ecomp, + unsigned char *desc, int max_desc_len) { int eip = desc[0] & 0x10; int invalid = desc[0] & 0x80; @@ -445,22 +445,32 @@ static void ses_process_descriptor(struc unsigned char *d; if (invalid) - return; + return 0; switch (proto) { case SCSI_PROTOCOL_FCP: if (eip) { + if (max_desc_len <= 7) + return 1; d = desc + 4; slot = d[3]; } break; case SCSI_PROTOCOL_SAS: + if (eip) { + if (max_desc_len <= 27) + return 1; d = desc + 4; slot = d[3]; d = desc + 8; - } else + } else { + if (max_desc_len <= 23) + return 1; d = desc + 4; + } + + /* only take the phy0 addr */ addr = (u64)d[12] << 56 | (u64)d[13] << 48 | @@ -477,6 +487,8 @@ static void ses_process_descriptor(struc } ecomp->slot = slot; scomp->addr = addr; + + return 0; } struct efd { @@ -549,7 +561,7 @@ static void ses_enclosure_data_process(s /* skip past overall descriptor */ desc_ptr += len + 4; } - if (ses_dev->page10) + if (ses_dev->page10 && ses_dev->page10_len > 9) addl_desc_ptr = ses_dev->page10 + 8; type_ptr = ses_dev->page1_types; components = 0; @@ -557,6 +569,7 @@ static void ses_enclosure_data_process(s for (j = 0; j < type_ptr[1]; j++) { char *name = NULL; struct enclosure_component *ecomp; + int max_desc_len; if (desc_ptr) { if (desc_ptr >= buf + page7_len) { @@ -583,10 +596,14 @@ static void ses_enclosure_data_process(s ecomp = &edev->component[components++]; if (!IS_ERR(ecomp)) { - if (addl_desc_ptr) - ses_process_descriptor( - ecomp, - addl_desc_ptr); + if (addl_desc_ptr) { + max_desc_len = ses_dev->page10_len - + (addl_desc_ptr - ses_dev->page10); + if (ses_process_descriptor(ecomp, + addl_desc_ptr, + max_desc_len)) + addl_desc_ptr = NULL; + } if (create) enclosure_component_register( ecomp); Patches currently in stable-queue which might be from thenzl@xxxxxxxxxx are queue-6.2/scsi-mpt3sas-fix-a-memory-leak.patch queue-6.2/scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch queue-6.2/scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch queue-6.2/scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch queue-6.2/scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch