From patchwork Mon Oct 19 13:48:20 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 7437301 Return-Path: X-Original-To: patchwork-linux-scsi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 566BE9F37F for ; Mon, 19 Oct 2015 13:48:53 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 73E6A20784 for ; Mon, 19 Oct 2015 13:48:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6769F2072E for ; Mon, 19 Oct 2015 13:48:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752103AbbJSNsp (ORCPT ); Mon, 19 Oct 2015 09:48:45 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:40541 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751063AbbJSNsp (ORCPT ); Mon, 19 Oct 2015 09:48:45 -0400 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t9JDmV54019168 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 19 Oct 2015 13:48:32 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t9JDmVIK021620 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 19 Oct 2015 13:48:31 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id t9JDmV2M010766; Mon, 19 Oct 2015 13:48:31 GMT Received: from mwanda (/154.0.139.178) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 19 Oct 2015 06:48:30 -0700 Date: Mon, 19 Oct 2015 16:48:20 +0300 From: Dan Carpenter To: "James E.J. Bottomley" Cc: linux-scsi@vger.kernel.org, =?utf-8?B?56iL5ZCbKOaIkOa3vCk=?= , throber3 , security@kernel.org Subject: [patch] ses: tighten range checks in ses_intf_add() Message-ID: <20151019134820.GA28752@mwanda> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <----An------QYmAn$10b010ca-f710-44aa-8ea3-3b65a3c21286@alibaba-inc.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP We test that "type_ptr" is within the buffer but then we read from "type_ptr[3]" so we could be reading beyond the end of the buffer. Reported-by: "Berry Cheng ??(??)" Signed-off-by: Dan Carpenter --- This isn't a complete fix because we still need more range checking in all the other places which use type_ptr like ses_get_page2_descriptor(). We record len as page1_len but we don't use it anywhere... I wonder if someone knew the expected format we could make reject too short lengths earlier. -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c index dcb0d76..39f69b0 100644 --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -641,7 +641,7 @@ static int ses_intf_add(struct device *cdev, /* begin at the enclosure descriptor */ type_ptr = buf + 8; /* skip all the enclosure descriptors */ - for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) { + for (i = 0; i < num_enclosures && type_ptr + 4 < buf + len; i++) { types += type_ptr[2]; type_ptr += type_ptr[3] + 4; } @@ -649,7 +649,7 @@ static int ses_intf_add(struct device *cdev, ses_dev->page1_types = type_ptr; ses_dev->page1_num_types = types; - for (i = 0; i < types && type_ptr < buf + len; i++, type_ptr += 4) { + for (i = 0; i < types && type_ptr + 2 < buf + len; i++, type_ptr += 4) { if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE) components += type_ptr[1];