Dear all
When our customer probe the lpfc devices, they encountered odd memory corruption issues,
and we get 'out of bound' access warning at following position after open KASAN
ses_enclosure_data_process
for (i = 0; i < types; i++, type_ptr += 4) {
for (j = 0; j < type_ptr[1]; j++) {
^^^^^^^^^^^
out of bound
With some debug log, I got following,
page1 ffff88042d1aad20 len 32 types 5 type_ptr ffff88042d1aad64
Would anyone please give some suggestions on this ?
Thanks
Jianchao
Would anyone please give some suggestions ?
It looks like there somethings wrong in the read-in data,
/* skip all the enclosure descriptors */
for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
types += type_ptr[2];
type_ptr += type_ptr[3] + 4; ----> here
}
Then the typr_ptr got out of bound of the buffer.
Thanks
Jianchao
On 3/14/19 11:19 AM, jianchao.wang wrote:
> Dear all
>
> When our customer probe the lpfc devices, they encountered odd memory corruption issues,
> and we get 'out of bound' access warning at following position after open KASAN
>
> ses_enclosure_data_process
>
> for (i = 0; i < types; i++, type_ptr += 4) {
> for (j = 0; j < type_ptr[1]; j++) {
> ^^^^^^^^^^^
> out of bound
>
> With some debug log, I got following,
>
> page1 ffff88042d1aad20 len 32 types 5 type_ptr ffff88042d1aad64
>
> Would anyone please give some suggestions on this ?
>
> Thanks
> Jianchao
>
Add lpfc maintainer James & Dick. Could you help take a look?
Thanks,
Junxiao.
On 3/18/19 11:13 AM, jianchao.wang wrote:
> Would anyone please give some suggestions ?
>
> It looks like there somethings wrong in the read-in data,
>
> /* skip all the enclosure descriptors */
> for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
> types += type_ptr[2];
> type_ptr += type_ptr[3] + 4; ----> here
> }
> Then the typr_ptr got out of bound of the buffer.
>
>
> Thanks
> Jianchao
>
> On 3/14/19 11:19 AM, jianchao.wang wrote:
>> Dear all
>>
>> When our customer probe the lpfc devices, they encountered odd memory corruption issues,
>> and we get 'out of bound' access warning at following position after open KASAN
>>
>> ses_enclosure_data_process
>>
>> for (i = 0; i < types; i++, type_ptr += 4) {
>> for (j = 0; j < type_ptr[1]; j++) {
>> ^^^^^^^^^^^
>> out of bound
>>
>> With some debug log, I got following,
>>
>> page1 ffff88042d1aad20 len 32 types 5 type_ptr ffff88042d1aad64
>>
>> Would anyone please give some suggestions on this ?
>>
>> Thanks
>> Jianchao
>>
Jianchao,
> When our customer probe the lpfc devices, they encountered odd memory
> corruption issues, and we get 'out of bound' access warning at
> following position after open KASAN
Please provide the output of:
# sg_ses -p 1 /dev/sgN
# sg_ses -p 7 /dev/sgN
for the enclosure device in question.
--
Martin K. Petersen Oracle Linux Engineering
Hi Martin
Thanks for your kindly response.
On 3/18/19 1:01 PM, Martin K. Petersen wrote:
>
> Jianchao,
>
>> When our customer probe the lpfc devices, they encountered odd memory
>> corruption issues, and we get 'out of bound' access warning at
>> following position after open KASAN
>
> Please provide the output of:
>
> # sg_ses -p 1 /dev/sgN
> # sg_ses -p 7 /dev/sgN
>
> for the enclosure device in question.
OK, I will send this to customer.
And share the result here after get feedback.
Thanks
Jianchao
On Mon, 2019-03-18 at 01:01 -0400, Martin K. Petersen wrote:
> Jianchao,
>
> > When our customer probe the lpfc devices, they encountered odd memory
> > corruption issues, and we get 'out of bound' access warning at
> > following position after open KASAN
>
> Please provide the output of:
>
> # sg_ses -p 1 /dev/sgN
> # sg_ses -p 7 /dev/sgN
>
> for the enclosure device in question.
>
The ses driver is allocating kernel buffers based upon the size
reported by RECEIVE DIAGNOSTIC commands, and is iterating through
them based on sizes in the individual descriptors. It appears to
be vulnerable to incorrect data from the device causing out-of-bounds
memory access, because the for() test does not prevent the use of
the pointer in subsequent code, e.g.:
for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
types += type_ptr[2];
type_ptr += type_ptr[3] + 4;
}
ses_dev->page1_types = type_ptr;
ses_dev->page1_num_types = types;
Whether or not this is the current problem, it's wrong.
-Ewan
On 3/18/19 11:22 PM, Ewan D. Milne wrote:
> On Mon, 2019-03-18 at 01:01 -0400, Martin K. Petersen wrote:
>> Jianchao,
>>
>>> When our customer probe the lpfc devices, they encountered odd memory
>>> corruption issues, and we get 'out of bound' access warning at
>>> following position after open KASAN
>>
>> Please provide the output of:
>>
>> # sg_ses -p 1 /dev/sgN
>> # sg_ses -p 7 /dev/sgN
>>
>> for the enclosure device in question.
>>
>
> The ses driver is allocating kernel buffers based upon the size
> reported by RECEIVE DIAGNOSTIC commands, and is iterating through
> them based on sizes in the individual descriptors. It appears to
> be vulnerable to incorrect data from the device causing out-of-bounds
> memory access, because the for() test does not prevent the use of
> the pointer in subsequent code, e.g.:
>
> for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
> types += type_ptr[2];
> type_ptr += type_ptr[3] + 4;
> }
>
> ses_dev->page1_types = type_ptr;
> ses_dev->page1_num_types = types;
>
> Whether or not this is the current problem, it's wrong.
>
Yes, I definitely agree with this.
There should be some change here.
Thanks
Jianchao