Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp526157img; Mon, 18 Mar 2019 08:23:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqyIfR3G8pUIicXQuGTwJ+Oj0cuUTeP5hNF4e9vpZFQP5qVrG4z4ngi2xHdPWf2BQZS/2Tp/ X-Received: by 2002:a62:be02:: with SMTP id l2mr19765269pff.55.1552922613315; Mon, 18 Mar 2019 08:23:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552922613; cv=none; d=google.com; s=arc-20160816; b=r12qhlSilYotdMNstnVFI0lvDTONw6RZXz4oFDp+6SVFzn601ma+WJEXADe1Dn88Q/ lD3lyXorlINOogbar8ExyMcvZim7xXIFWDYpFegKkHX/mNf8LbsIXCxoNnfsVa69druz mLCNj4JOYt+qF0QwwtcsAegw16fgUOJDOjAdGFdfnLkuqpdGyV17Yt8nPTP+vZpmXvAt EwrTL56ubtY/tFkJr8f3xo3Olb3OmNPkk0iy6z48p252WbayjoHtMKYR55Y0L3WKijpP VHLpMBAawSLZ4QG54M0hDDT1EkEDCmOomCazWw7PyvUSaJj9izOm3VNamUiPZoi+hwVW TFxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id; bh=olZAO1ljGDa4nM+SeoJJWtpfAuCYXW3vIMpr4jrARS8=; b=wJBM3Si3D58ixlVPNCzAl8Bapx4CY0+ab+SaTjtsseMAzPk0I7wFHiXV+dkUo7WubB I5oaOplclRapXEXhTUevd7TkPDi4K/sxjd+5sX/uRCEakjWjAmJ/qIFCwajGZGdVb3qZ AXj6UEWidJO9dpGzj8AbfetxLljEdjjQ8ogx1yY46EXXbvavUVrjz/NARNbMj05FL+It +n3Y4vcXtvzplRFqUn8ikvQkOhS79cwLiy0Muu4r09Prg4XB8320Khk3D+mZ50RFpocn yvcG/AVPZELjPHGS1M98R4WtLqLVSNyDO5xioz8kw/yhXRQWpkjkgOmcOtQ4ZSqrvxZu 9xLQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k17si9110877pgg.437.2019.03.18.08.23.17; Mon, 18 Mar 2019 08:23:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727093AbfCRPWh (ORCPT + 99 others); Mon, 18 Mar 2019 11:22:37 -0400 Received: from mx1.redhat.com ([209.132.183.28]:19362 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726757AbfCRPWh (ORCPT ); Mon, 18 Mar 2019 11:22:37 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 24201C057F41; Mon, 18 Mar 2019 15:22:37 +0000 (UTC) Received: from emilne (unknown [10.18.25.205]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5CA7319C71; Mon, 18 Mar 2019 15:22:36 +0000 (UTC) Message-ID: <3b2542225e519a8cf8e329745b0ee2e2464787c7.camel@redhat.com> Subject: Re: [BUG] scsi: ses: out of bound accessing in ses_enclosure_data_process From: "Ewan D. Milne" To: "Martin K. Petersen" , "jianchao.wang" Cc: jejb@linux.ibm.com, "linux-scsi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , Junxiao Bi , diego.gonzalez@oracle.com Date: Mon, 18 Mar 2019 11:22:35 -0400 In-Reply-To: References: <78dd3eca-7e8a-72f9-07f9-e2c7cc4569b0@oracle.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 18 Mar 2019 15:22:37 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2019-03-18 at 01:01 -0400, Martin K. Petersen wrote: > Jianchao, > > > When our customer probe the lpfc devices, they encountered odd memory > > corruption issues, and we get 'out of bound' access warning at > > following position after open KASAN > > Please provide the output of: > > # sg_ses -p 1 /dev/sgN > # sg_ses -p 7 /dev/sgN > > for the enclosure device in question. > The ses driver is allocating kernel buffers based upon the size reported by RECEIVE DIAGNOSTIC commands, and is iterating through them based on sizes in the individual descriptors. It appears to be vulnerable to incorrect data from the device causing out-of-bounds memory access, because the for() test does not prevent the use of the pointer in subsequent code, e.g.: for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) { types += type_ptr[2]; type_ptr += type_ptr[3] + 4; } ses_dev->page1_types = type_ptr; ses_dev->page1_num_types = types; Whether or not this is the current problem, it's wrong. -Ewan