On Fri, 27 Jan 2023 16:04:13 -0800, Kees Cook wrote:
> The aac_priv() helper assumes that the private cmd area immediately
> follows struct scsi_cmnd. Allocate this space as part of scsicmd,
> else there is a risk of heap overflow. Seen with GCC 13:
>
> ../drivers/scsi/aacraid/aachba.c: In function 'aac_probe_container':
> ../drivers/scsi/aacraid/aachba.c:841:26: warning: array subscript 16 is outside array bounds of 'void[392]' [-Warray-bounds=]
> 841 | status = cmd_priv->status;
> | ^~
> In file included from ../include/linux/resource_ext.h:11,
> from ../include/linux/pci.h:40,
> from ../drivers/scsi/aacraid/aachba.c:22:
> In function 'kmalloc',
> inlined from 'kzalloc' at ../include/linux/slab.h:720:9,
> inlined from 'aac_probe_container' at ../drivers/scsi/aacraid/aachba.c:821:30:
> ../include/linux/slab.h:580:24: note: at offset 392 into object of size 392 allocated by 'kmalloc_trace'
> 580 | return kmalloc_trace(
> | ^~~~~~~~~~~~~~
> 581 | kmalloc_caches[kmalloc_type(flags)][index],
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 582 | flags, size);
> | ~~~~~~~~~~~~
>
> [...]
Applied to 6.3/scsi-queue, thanks!
[1/1] scsi: aacraid: Allocate cmd_priv with scsicmd
https://git.kernel.org/mkp/scsi/c/7ab734fc7598
--
Martin K. Petersen Oracle Linux Engineering
