This is a note to let you know that I've just added the patch titled
scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From db95d4df71cb55506425b6e4a5f8d68e3a765b63 Mon Sep 17 00:00:00 2001
From: Tomas Henzl <thenzl@xxxxxxxxxx>
Date: Thu, 2 Feb 2023 17:24:49 +0100
Subject: scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
From: Tomas Henzl <thenzl@xxxxxxxxxx>
commit db95d4df71cb55506425b6e4a5f8d68e3a765b63 upstream.
Sanitize possible addl_desc_ptr out-of-bounds accesses in
ses_enclosure_data_process().
Link: https://lore.kernel.org/r/20230202162451.15346-3-thenzl@xxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tomas Henzl <thenzl@xxxxxxxxxx>
Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/scsi/ses.c | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -433,8 +433,8 @@ int ses_match_host(struct enclosure_devi
}
#endif /* 0 */
-static void ses_process_descriptor(struct enclosure_component *ecomp,
- unsigned char *desc)
+static int ses_process_descriptor(struct enclosure_component *ecomp,
+ unsigned char *desc, int max_desc_len)
{
int eip = desc[0] & 0x10;
int invalid = desc[0] & 0x80;
@@ -445,22 +445,32 @@ static void ses_process_descriptor(struc
unsigned char *d;
if (invalid)
- return;
+ return 0;
switch (proto) {
case SCSI_PROTOCOL_FCP:
if (eip) {
+ if (max_desc_len <= 7)
+ return 1;
d = desc + 4;
slot = d[3];
}
break;
case SCSI_PROTOCOL_SAS:
+
if (eip) {
+ if (max_desc_len <= 27)
+ return 1;
d = desc + 4;
slot = d[3];
d = desc + 8;
- } else
+ } else {
+ if (max_desc_len <= 23)
+ return 1;
d = desc + 4;
+ }
+
+
/* only take the phy0 addr */
addr = (u64)d[12] << 56 |
(u64)d[13] << 48 |
@@ -477,6 +487,8 @@ static void ses_process_descriptor(struc
}
ecomp->slot = slot;
scomp->addr = addr;
+
+ return 0;
}
struct efd {
@@ -549,7 +561,7 @@ static void ses_enclosure_data_process(s
/* skip past overall descriptor */
desc_ptr += len + 4;
}
- if (ses_dev->page10)
+ if (ses_dev->page10 && ses_dev->page10_len > 9)
addl_desc_ptr = ses_dev->page10 + 8;
type_ptr = ses_dev->page1_types;
components = 0;
@@ -557,6 +569,7 @@ static void ses_enclosure_data_process(s
for (j = 0; j < type_ptr[1]; j++) {
char *name = NULL;
struct enclosure_component *ecomp;
+ int max_desc_len;
if (desc_ptr) {
if (desc_ptr >= buf + page7_len) {
@@ -583,10 +596,14 @@ static void ses_enclosure_data_process(s
ecomp = &edev->component[components++];
if (!IS_ERR(ecomp)) {
- if (addl_desc_ptr)
- ses_process_descriptor(
- ecomp,
- addl_desc_ptr);
+ if (addl_desc_ptr) {
+ max_desc_len = ses_dev->page10_len -
+ (addl_desc_ptr - ses_dev->page10);
+ if (ses_process_descriptor(ecomp,
+ addl_desc_ptr,
+ max_desc_len))
+ addl_desc_ptr = NULL;
+ }
if (create)
enclosure_component_register(
ecomp);
Patches currently in stable-queue which might be from thenzl@xxxxxxxxxx are
queue-6.1/scsi-mpt3sas-fix-a-memory-leak.patch
queue-6.1/scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch
queue-6.1/scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch
queue-6.1/scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch
queue-6.1/scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch
