Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
From:   George Kennedy <george.kennedy@oracle.com>
To:     gregkh@linuxfoundation.org, jejb@linux.ibm.com,
        martin.petersen@oracle.com
Cc:     george.kennedy@oracle.com, linux-scsi@vger.kernel.org,
        linux-kernel@vger.kernel.org, dan.carpenter@oracle.com
Subject: [PATCH v2] scsi: scsi_debug: fix type in min_t to avoid stack OOB
Date:   Tue,  2 Nov 2021 09:06:37 -0500
Message-Id: <1635861997-987-1-git-send-email-george.kennedy@oracle.com>
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?tblHP371fq3YL5LhXn0WS7Pgn25FaiEvH1jQjT0+aZ0UlRdo3G1fgrZie2uC?=
 =?us-ascii?Q?omWYCXBKhWeTM5bm4elDzS/uHPEpMKBQou0DWmo74vpD5M7Cc4v7g7U55sN2?=
 =?us-ascii?Q?Q/lGiHQX+qVyMkDWW3WpaC4vxwf2c1kTlv4GERmKDgjsyW89yIpYsYp0YW/B?=
 =?us-ascii?Q?volYKYjuKlLbvN7J27MCKwvdPrtRlOXeu1ohA7jDRY4N0vUrEgRG1vLDTXMt?=
 =?us-ascii?Q?k9faA+g/0d0rVzJhfGw0jR4/CQw76PWmIjUrAMVkbGLIGc9aTDjYxyjHfKSM?=
 =?us-ascii?Q?ALJUA91prZTVJJQNxb7HE8sagYUfLVuCK3rtnrhJOdLdjF7lWNHLpEdlze0Y?=
 =?us-ascii?Q?8xEYBIAhQQKDwK5oseWAZKK052ourI3Q7Rnjag4KAcNXEY92o0Zqj/9sLE73?=
 =?us-ascii?Q?O84yNwXqzmd0eENqsIsYe/jXY07Ubgescyrxf3xzkqpiIgOg6sRmkyfy2vM3?=
 =?us-ascii?Q?A5rMIoXGmN3sVI9sea0fMlFdfrev/QFKyKfRgmuX3enn4UbCTr5wTXbkpu2+?=
 =?us-ascii?Q?hFQBDTiI2913fIXTAJKM5LLLKaVGKzSFDSKg68cAMS6IF6/CcpgXI3wTm+ay?=
 =?us-ascii?Q?4eqkdcycdySfuWa8+/UhqWy7i2TvWaO4HOpqwvdMXpDW5uH7CCiz4mrHgcai?=
 =?us-ascii?Q?lvhyyl1goArvaJLJ3+8spdyv098f2cQ++jeLxaLWbIlplIlGJDm+G9VOWWt6?=
 =?us-ascii?Q?GeB8Xgi7HiIvWl3DHqa12BpzogoF/EkpaimS2ryc9wnG5Sq1LYaDPY7ytvpT?=
 =?us-ascii?Q?30dol+60amaLHVXy4GJXILZ4D3IsQzm1/XnUJ2e5YMO0TxJiihDqmn5wupo4?=
 =?us-ascii?Q?7b4ZZx4lQM2q0aRuRFneEaRyk0sMlJFFOaUjxrLhwxwUxZCv6FHc+FRtSF7C?=
 =?us-ascii?Q?v7VmLBJliYbxAFWIH/2bwCWfc6G7iXeROVxaOcWTT3w3lOi9K10xgSdPh4ec?=
 =?us-ascii?Q?i/UE7o3BfBaT5SAn5HvF7L+DJk9Ltvor/+ZD5LKiV46dFXoauU1FJ8yf0LPJ?=
 =?us-ascii?Q?4V/4TKqaCO+F+qcZjgqiGw1YxPwGfQ/sTCXyXiOsszGNqFM/kJCvUn66ONgO?=
 =?us-ascii?Q?DA46ErGOygldcrre7MC899fRSNgIHM+i9iQi3o230vZQ0uV3mmafCo6512IB?=
 =?us-ascii?Q?MT9MwKLyEKf+PAFPTGLPl8xi7GFvaUs+PNPUeCYeRkD9axaNjAOCL9+V4ZP7?=
 =?us-ascii?Q?uphm+6RgsHRgGuTMfX6UwX9m2GeOxocl9CP7FHxKWBRB/6ei3g+Sa6FYqNiw?=
 =?us-ascii?Q?+9JQCIQatB9YcnJ3qP59DX/EGvtASk//PAxVXjfeOV7V6P4mDJFM6Z9VqATy?=
 =?us-ascii?Q?kDvr3i6vM+Hep0Mmc+YQWElzVt3L13yHoL9XpHswjv92hl04FgPLJYrPRrTW?=
 =?us-ascii?Q?0bQvCc0BZbTJ+PZVzzu7YzZL5H7eonNWKNi+DpXNVcbZzfiSBeeql5M0W6Ur?=
 =?us-ascii?Q?bsjFZCOSq2kq5TBy3lyBciwo0yDE9pRoGA9Z43nGAG5MiQmAyKfr8K4mJxM4?=
 =?us-ascii?Q?K30cRKT7SGoGRj6bs+AJ8Z7YnMGg7XuByMw/1qyK3PhENO7qTydn3Ox3SzeD?=
 =?us-ascii?Q?L4TUr67id5KagG8RnUiP2ap135p1pnV7Q4qO/NYg5uaLSRJjpwqKNc97Zhal?=
 =?us-ascii?Q?tVvlmn2ZQL1UGWFICkX+bgZ9sNrCZhh0TKiO41OXz3zXBAOa5gB9KsN9p83h?=
 =?us-ascii?Q?YPR/gg=3D=3D?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cb2afb23-2991-4d87-2dce-08d99e0a4ada
X-MS-Exchange-CrossTenant-AuthSource: BN0PR10MB5192.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Nov 2021 14:08:49.4022
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: IfVfMCpwaK3D6Nx31bInMSGcHiP7727N4MIcVZc22i6I3telUpGpZauZKPGmPR8i9+CqD5iF+fLPWLVbyVYWgkmVi3cAoLync7pzIsJaFiA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR10MB1313
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10155 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 malwarescore=0
 mlxscore=0 suspectscore=0 mlxlogscore=999 adultscore=0 spamscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000
 definitions=main-2111020084
X-Proofpoint-ORIG-GUID: 0k3eh4DgYSZsgUPQN2PfESLe9NtvMO3r
X-Proofpoint-GUID: 0k3eh4DgYSZsgUPQN2PfESLe9NtvMO3r
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Change min_t() to use type "unsigned int" instead of type "int" to
avoid stack out of bounds. With min_t() type "int" the values get
sign extended and the larger value gets used causing stack out of bounds.

BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976
Read of size 127 at addr ffff888072607128 by task syz-executor.7/18707

CPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1
Hardware name: Red Hat KVM, BIOS 1.13.0-2
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189
 memcpy+0x23/0x60 mm/kasan/shadow.c:65
 memcpy include/linux/fortify-string.h:191 [inline]
 sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976
 sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000
 fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162
 fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline]
 resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887
 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478
 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]
 scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699
 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639
 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325
 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358
 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761
 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838
 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891
 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474
 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62
 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836
 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774
 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939
 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
---
 drivers/scsi/scsi_debug.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 40b473e..e4c48fb 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1189,7 +1189,7 @@ static int p_fill_from_dev_buffer(struct scsi_cmnd *scp, const void *arr,
 		 __func__, off_dst, scsi_bufflen(scp), act_len,
 		 scsi_get_resid(scp));
 	n = scsi_bufflen(scp) - (off_dst + act_len);
-	scsi_set_resid(scp, min_t(int, scsi_get_resid(scp), n));
+	scsi_set_resid(scp, min_t(unsigned int, scsi_get_resid(scp), n));
 	return 0;
 }
 
@@ -1714,7 +1714,7 @@ static int resp_inquiry(struct scsi_cmnd *scp, struct sdebug_dev_info *devip)
 	}
 	put_unaligned_be16(0x2100, arr + n);	/* SPL-4 no version claimed */
 	ret = fill_from_dev_buffer(scp, arr,
-			    min_t(int, alloc_len, SDEBUG_LONG_INQ_SZ));
+			    min_t(unsigned int, alloc_len, SDEBUG_LONG_INQ_SZ));
 	kfree(arr);
 	return ret;
 }
@@ -1774,7 +1774,7 @@ static int resp_requests(struct scsi_cmnd *scp,
 			arr[7] = 0xa;
 		}
 	}
-	return fill_from_dev_buffer(scp, arr, min_t(int, len, alloc_len));
+	return fill_from_dev_buffer(scp, arr, min_t(unsigned int, len, alloc_len));
 }
 
 static int resp_start_stop(struct scsi_cmnd *scp, struct sdebug_dev_info *devip)
@@ -1885,7 +1885,7 @@ static int resp_readcap16(struct scsi_cmnd *scp,
 	}
 
 	return fill_from_dev_buffer(scp, arr,
-			    min_t(int, alloc_len, SDEBUG_READCAP16_ARR_SZ));
+			    min_t(unsigned int, alloc_len, SDEBUG_READCAP16_ARR_SZ));
 }
 
 #define SDEBUG_MAX_TGTPGS_ARR_SZ 1412
@@ -1959,9 +1959,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
 	 * - The constructed command length
 	 * - The maximum array size
 	 */
-	rlen = min_t(int, alen, n);
+	rlen = min_t(unsigned int, alen, n);
 	ret = fill_from_dev_buffer(scp, arr,
-			   min_t(int, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
+			   min_t(unsigned int, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
 	kfree(arr);
 	return ret;
 }
@@ -2467,7 +2467,7 @@ static int resp_mode_sense(struct scsi_cmnd *scp,
 		arr[0] = offset - 1;
 	else
 		put_unaligned_be16((offset - 2), arr + 0);
-	return fill_from_dev_buffer(scp, arr, min_t(int, alloc_len, offset));
+	return fill_from_dev_buffer(scp, arr, min_t(unsigned int, alloc_len, offset));
 }
 
 #define SDEBUG_MAX_MSELECT_SZ 512
@@ -2652,9 +2652,9 @@ static int resp_log_sense(struct scsi_cmnd *scp,
 		mk_sense_invalid_fld(scp, SDEB_IN_CDB, 3, -1);
 		return check_condition_result;
 	}
-	len = min_t(int, get_unaligned_be16(arr + 2) + 4, alloc_len);
+	len = min_t(unsigned int, get_unaligned_be16(arr + 2) + 4, alloc_len);
 	return fill_from_dev_buffer(scp, arr,
-		    min_t(int, len, SDEBUG_MAX_INQ_ARR_SZ));
+		    min_t(unsigned int, len, SDEBUG_MAX_INQ_ARR_SZ));
 }
 
 static inline bool sdebug_dev_is_zoned(struct sdebug_dev_info *devip)
@@ -4425,7 +4425,7 @@ static int resp_report_zones(struct scsi_cmnd *scp,
 	put_unaligned_be64(sdebug_capacity - 1, arr + 8);
 
 	rep_len = (unsigned long)desc - (unsigned long)arr;
-	ret = fill_from_dev_buffer(scp, arr, min_t(int, alloc_len, rep_len));
+	ret = fill_from_dev_buffer(scp, arr, min_t(unsigned int, alloc_len, rep_len));
 
 fini:
 	read_unlock(macc_lckp);
-- 
1.8.3.1