All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] scsi: ses: validate the page 1 geometry before walking it
@ 2026-07-11  7:44 ` Bryam Vargas
  0 siblings, 0 replies; 3+ messages in thread
From: Bryam Vargas via B4 Relay @ 2026-07-11  7:44 UTC (permalink / raw)
  To: James E.J. Bottomley, Martin K. Petersen; +Cc: linux-scsi, linux-kernel

From: Bryam Vargas <hexlabsecurity@proton.me>

ses_intf_add() stores the enclosure's page 1 type-descriptor pointer and
count (page1_types, page1_num_types) without bounding them against the
page 1 buffer.  The page 2 descriptor walks, ses_enclosure_data_process()
and the logical-id read in ses_show_id() all iterate or index with those
device-supplied values.  An enclosure that reports a short page 1 with an
inflated type count, or one too short for its logical id, makes those
reads run past the page 1 allocation -- an out-of-bounds read of adjacent
slab, some of which ses_show_id() hands back to user space.

Validate the page 1 geometry where it is parsed and reject a page too
short for its logical id or declaring more type descriptors than it
carries.  Conforming enclosures are unaffected.

Fixes: 9927c68864e9 ("[SCSI] ses: add new Enclosure ULD")
Closes: https://sashiko.dev/#/patchset/20260706-b4-disp-29a05ca3-v1-1-49591f469f60@proton.me?part=1
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
---
Verified with an in-kernel KASAN model (7.2.0-rc1) that replays each
accessor over a real kmalloc'd page 1:
  - ses_show_id() read (page1+12, 8 bytes) over a 12-byte page 1
    -> BUG: KASAN: slab-out-of-bounds READ; a validated page 1 is clean.
  - a type_ptr walk with an inflated page1_num_types over a short page 1
    -> BUG: KASAN: slab-out-of-bounds READ; the geometry check stops it.
  - a conforming page 1 -> clean.
Reproducer available on request.
---
 drivers/scsi/ses.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 4c348645b04e..bbd8ff13cb2a 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -750,6 +750,22 @@ static int ses_intf_add(struct device *cdev)
 	ses_dev->page1_types = type_ptr;
 	ses_dev->page1_num_types = types;
 
+	/*
+	 * Validate the device-reported page 1 geometry once, here, before the
+	 * accessors walk it.  page1_types and page1_num_types come straight from
+	 * the enclosure, and the page 2 descriptor walks (ses_get_page2_descriptor(),
+	 * ses_set_page2_descriptor()), ses_enclosure_data_process() and the
+	 * logical-id read in ses_show_id() all trust them.  A page 1 shorter than
+	 * its logical-id field, or one that declares more type descriptors than it
+	 * carries, would make those reads run past the page 1 buffer.
+	 */
+	if (len < 8 + 4 + (int)sizeof(u64) ||
+	    ses_dev->page1_types > buf + len ||
+	    ses_dev->page1_num_types > (buf + len - ses_dev->page1_types) / 4) {
+		err = -EINVAL;
+		goto err_free;
+	}
+
 	for (i = 0; i < types && type_ptr < buf + len; i++, type_ptr += 4) {
 		if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
 		    type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE)

---
base-commit: dd3210c47e8d3ac6b4e9141fc68acc03b38c0ba3
change-id: 20260711-b4-disp-26cc3226-291ae14662de

Best regards,
-- 
Bryam Vargas <hexlabsecurity@proton.me>



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH] scsi: ses: validate the page 1 geometry before walking it
@ 2026-07-11  7:44 ` Bryam Vargas
  0 siblings, 0 replies; 3+ messages in thread
From: Bryam Vargas @ 2026-07-11  7:44 UTC (permalink / raw)
  To: James E.J. Bottomley, Martin K. Petersen; +Cc: linux-scsi, linux-kernel

ses_intf_add() stores the enclosure's page 1 type-descriptor pointer and
count (page1_types, page1_num_types) without bounding them against the
page 1 buffer.  The page 2 descriptor walks, ses_enclosure_data_process()
and the logical-id read in ses_show_id() all iterate or index with those
device-supplied values.  An enclosure that reports a short page 1 with an
inflated type count, or one too short for its logical id, makes those
reads run past the page 1 allocation -- an out-of-bounds read of adjacent
slab, some of which ses_show_id() hands back to user space.

Validate the page 1 geometry where it is parsed and reject a page too
short for its logical id or declaring more type descriptors than it
carries.  Conforming enclosures are unaffected.

Fixes: 9927c68864e9 ("[SCSI] ses: add new Enclosure ULD")
Closes: https://sashiko.dev/#/patchset/20260706-b4-disp-29a05ca3-v1-1-49591f469f60@proton.me?part=1
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
---
Verified with an in-kernel KASAN model (7.2.0-rc1) that replays each
accessor over a real kmalloc'd page 1:
  - ses_show_id() read (page1+12, 8 bytes) over a 12-byte page 1
    -> BUG: KASAN: slab-out-of-bounds READ; a validated page 1 is clean.
  - a type_ptr walk with an inflated page1_num_types over a short page 1
    -> BUG: KASAN: slab-out-of-bounds READ; the geometry check stops it.
  - a conforming page 1 -> clean.
Reproducer available on request.
---
 drivers/scsi/ses.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 4c348645b04e..bbd8ff13cb2a 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -750,6 +750,22 @@ static int ses_intf_add(struct device *cdev)
 	ses_dev->page1_types = type_ptr;
 	ses_dev->page1_num_types = types;
 
+	/*
+	 * Validate the device-reported page 1 geometry once, here, before the
+	 * accessors walk it.  page1_types and page1_num_types come straight from
+	 * the enclosure, and the page 2 descriptor walks (ses_get_page2_descriptor(),
+	 * ses_set_page2_descriptor()), ses_enclosure_data_process() and the
+	 * logical-id read in ses_show_id() all trust them.  A page 1 shorter than
+	 * its logical-id field, or one that declares more type descriptors than it
+	 * carries, would make those reads run past the page 1 buffer.
+	 */
+	if (len < 8 + 4 + (int)sizeof(u64) ||
+	    ses_dev->page1_types > buf + len ||
+	    ses_dev->page1_num_types > (buf + len - ses_dev->page1_types) / 4) {
+		err = -EINVAL;
+		goto err_free;
+	}
+
 	for (i = 0; i < types && type_ptr < buf + len; i++, type_ptr += 4) {
 		if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
 		    type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE)

---
base-commit: dd3210c47e8d3ac6b4e9141fc68acc03b38c0ba3
change-id: 20260711-b4-disp-26cc3226-291ae14662de

Best regards,
-- 
Bryam Vargas <hexlabsecurity@proton.me>


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] scsi: ses: validate the page 1 geometry before walking it
  2026-07-11  7:44 ` Bryam Vargas
  (?)
@ 2026-07-11  7:53 ` sashiko-bot
  -1 siblings, 0 replies; 3+ messages in thread
From: sashiko-bot @ 2026-07-11  7:53 UTC (permalink / raw)
  To: Bryam Vargas; +Cc: linux-scsi

Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:

New issues:
- [High] An integer truncation when storing the descriptor type count allows bypassing the new page 1 geometry validation, leading to an out-of-bounds read.

Pre-existing issues:
- [Critical] Diagnostic page 2 lacks length validation, leading to an integer underflow and massive out-of-bounds write in `ses_set_page2_descriptor`.
- [Critical] The page 2 descriptor iterations can access memory out of bounds if page 2 is smaller than the required size computed from page 1.
- [High] The newly added page 1 geometry validation is placed after the initial enclosure descriptor parsing loop, leaving the loop vulnerable to out-of-bounds reads.
- [High] The enclosure device is exposed to userspace before its private data (`edev->scratch`) is initialized, creating a race condition that leads to a NULL pointer dereference.
- [High] Diagnostic page 7 is parsed without adequate length validation, allowing out-of-bounds reads during device initialization.
--

--- Patch [1]: [PATCH] scsi: ses: validate the page 1 geometry before walking it ---
commit df60f2b0ae545a4bc27de56a34c9f4c56a73eb55
Author: Bryam Vargas <hexlabsecurity@proton.me>
Subject: scsi: ses: validate the page 1 geometry before walking it

This commit adds validation to the SCSI Enclosure Services (SES) driver to
verify the geometry of diagnostic page 1 before parsing it. It ensures the
page is long enough for its logical ID and bounds the number of type
descriptors to prevent out-of-bounds reads.

Link: https://sashiko.dev/#/patchset/20260706-b4-disp-29a05ca3-v1-1-49591f469f60@proton.me?part=1

> diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
> index 4c348645b04ee..bbd8ff13cb2a5 100644
> --- a/drivers/scsi/ses.c
> +++ b/drivers/scsi/ses.c
> @@ -750,6 +750,22 @@ static int ses_intf_add(struct device *cdev)
>  	ses_dev->page1_types = type_ptr;
>  	ses_dev->page1_num_types = types;

[Severity: High]
This is a pre-existing issue, but the loop just above this context:

	/* begin at the enclosure descriptor */
	type_ptr = buf + 8;
	/* skip all the enclosure descriptors */
	for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
		types += type_ptr[2];
		type_ptr += type_ptr[3] + 4;
	}

iterates and reads type_ptr[2] and type_ptr[3] before the newly added validation
check. Is it possible for this to cause an out-of-bounds read if the buffer is
smaller than 12 bytes?

> +	/*
> +	 * Validate the device-reported page 1 geometry once, here, before the
> +	 * accessors walk it.  page1_types and page1_num_types come straight from
> +	 * the enclosure, and the page 2 descriptor walks (ses_get_page2_descriptor(),
> +	 * ses_set_page2_descriptor()), ses_enclosure_data_process() and the
> +	 * logical-id read in ses_show_id() all trust them.  A page 1 shorter than
> +	 * its logical-id field, or one that declares more type descriptors than it
> +	 * carries, would make those reads run past the page 1 buffer.
> +	 */
> +	if (len < 8 + 4 + (int)sizeof(u64) ||
> +	    ses_dev->page1_types > buf + len ||
> +	    ses_dev->page1_num_types > (buf + len - ses_dev->page1_types) / 4) {

[Severity: High]
Can assigning the integer types to ses_dev->page1_num_types (which is a short)
cause a truncation? If a malicious device reports up to 256 enclosures and 255
types per enclosure, types could reach 65,280. When assigned to page1_num_types,
it truncates to a negative number (e.g., -256).

This would cause the ses_dev->page1_num_types > ... check to evaluate as false,
bypassing the validation and potentially allowing an out-of-bounds read in the
subsequent loop.

> +		err = -EINVAL;
> +		goto err_free;
> +	}
> +
>  	for (i = 0; i < types && type_ptr < buf + len; i++, type_ptr += 4) {
>  		if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
>  		    type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE)

[Severity: High]
This is a pre-existing issue, but looking further down in ses_intf_add():

	edev = enclosure_register(cdev->parent, dev_name(&sdev->sdev_gendev),
				  components, &ses_enclosure_callbacks);
	if (IS_ERR(edev)) {
		err = PTR_ERR(edev);
		goto err_free;
	}

	kfree(hdr_buf);

	edev->scratch = ses_dev;

Are we exposing the device to userspace before initializing its private data
(edev->scratch)? It looks like this creates a race window where userspace
could immediately read the sysfs attributes (like id), and the ses_show_id()
callback might dereference a NULL edev->scratch.


[Severity: High]
This isn't a bug introduced by this patch, but looking at ses_enclosure_data_process():

	} else {
		desc_ptr = buf + 8;
		len = (desc_ptr[2] << 8) + desc_ptr[3];
		/* skip past overall descriptor */
		desc_ptr += len + 4;
	}

We seem to parse diagnostic page 7 without adequate length validation here.
If the device provides a short page (e.g., length of 0, making the allocated
buffer 5 bytes), desc_ptr is advanced past the allocated buffer and
unconditionally dereferenced. Could this lead to out-of-bounds reads during
device initialization?


[Severity: Critical]
This is a pre-existing issue, but looking at ses_set_page2_descriptor():

	unsigned char *desc_ptr = ses_dev->page2 + 8;

	/* Clear everything */
	memset(desc_ptr, 0, ses_dev->page2_len - 8);

What happens if page2_len is less than 8? The subtraction would underflow
and cause memset to overwrite a massive amount of kernel memory. Should there
be length validation for diagnostic page 2 before this memset?


[Severity: Critical]
This is a pre-existing issue, but also in ses_set_page2_descriptor():

	for (i = 0; i < ses_dev->page1_num_types; i++, type_ptr += 4) {
		for (j = 0; j < type_ptr[1]; j++) {
			desc_ptr += 4;

It appears desc_ptr is unconditionally advanced based on page1_num_types
without bounds checking against page2_len. If a device reports a large number
of types in page 1 but returns a truncated page 2, could this iterate out of
bounds and cause slab corruption during a subsequent memcpy?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260711-b4-disp-26cc3226-v1-1-e04c11c88996@proton.me?part=1

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-11  7:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-11  7:44 [PATCH] scsi: ses: validate the page 1 geometry before walking it Bryam Vargas via B4 Relay
2026-07-11  7:44 ` Bryam Vargas
2026-07-11  7:53 ` sashiko-bot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.