Patch "scsi: ses: Fix possible desc_ptr out-of-bounds accesses" has been added to the 4.19-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Tue, 07 Mar 2023 17:21:59 +0100

This is a note to let you know that I've just added the patch titled

    scsi: ses: Fix possible desc_ptr out-of-bounds accesses

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 801ab13d50cf3d26170ee073ea8bb4eececb76ab Mon Sep 17 00:00:00 2001
From: Tomas Henzl <thenzl@xxxxxxxxxx>
Date: Thu, 2 Feb 2023 17:24:50 +0100
Subject: scsi: ses: Fix possible desc_ptr out-of-bounds accesses

From: Tomas Henzl <thenzl@xxxxxxxxxx>

commit 801ab13d50cf3d26170ee073ea8bb4eececb76ab upstream.

Sanitize possible desc_ptr out-of-bounds accesses in
ses_enclosure_data_process().

Link: https://lore.kernel.org/r/20230202162451.15346-4-thenzl@xxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tomas Henzl <thenzl@xxxxxxxxxx>
Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/scsi/ses.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -588,15 +588,19 @@ static void ses_enclosure_data_process(s
 			int max_desc_len;
 
 			if (desc_ptr) {
-				if (desc_ptr >= buf + page7_len) {
+				if (desc_ptr + 3 >= buf + page7_len) {
 					desc_ptr = NULL;
 				} else {
 					len = (desc_ptr[2] << 8) + desc_ptr[3];
 					desc_ptr += 4;
-					/* Add trailing zero - pushes into
-					 * reserved space */
-					desc_ptr[len] = '\0';
-					name = desc_ptr;
+					if (desc_ptr + len > buf + page7_len)
+						desc_ptr = NULL;
+					else {
+						/* Add trailing zero - pushes into
+						 * reserved space */
+						desc_ptr[len] = '\0';
+						name = desc_ptr;
+					}
 				}
 			}
 			if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||


Patches currently in stable-queue which might be from thenzl@xxxxxxxxxx are

queue-4.19/scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch
queue-4.19/scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch
queue-4.19/scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch
queue-4.19/scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch






