From: Paolo Bonzini <pbonzini@redhat.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Dmitry Vyukov <dvyukov@google.com>,
linux-scsi@vger.kernel.org, richard@r-senior.demon.co.uk,
ltuikov@yahoo.com, jbottomley@parallels.com,
Andrey Konovalov <andreyknvl@google.com>,
Kostya Serebryany <kcc@google.com>
Subject: Re: Potential out-of-bounds access in drivers/scsi/sd.c
Date: Wed, 04 Sep 2013 16:45:45 +0200 [thread overview]
Message-ID: <52274799.4090605@redhat.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1309041030420.1186-100000@iolanthe.rowland.org>
Il 04/09/2013 16:32, Alan Stern ha scritto:
> On Wed, 4 Sep 2013, Dmitry Vyukov wrote:
>
>> Hi,
>>
>> We are working on a memory error detector AddressSanitizer for Linux
>> kernel (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel),
>> it can detect use-after-free and buffer-overflow errors.
>
> ...
>
>> The code in sd_read_cache_type does the following:
>>
>> while (offset < len) {
>> ...
>> }
>> ...
>> if ((buffer[offset] & 0x3f) != modepage) {
>> sd_printk(KERN_ERR, sdkp, "Got wrong page\n");
>> goto defaults;
>> }
>>
>> When control leaves the while loop, offset >= len, so buffer[offset]
>> reads random garbage out-of-bounds.
>> It the worst case it can lead to crash, or if (buffer[offset] & 0x3f)
>> happen to be == modepage, then it will read more garbage.
>>
>> Please help validate and triage this.
>
> The tool's output is correct. The patch below should fix it.
>
> Alan Stern
>
>
>
> Index: usb-3.11/drivers/scsi/sd.c
> ===================================================================
> --- usb-3.11.orig/drivers/scsi/sd.c
> +++ usb-3.11/drivers/scsi/sd.c
> @@ -2419,7 +2419,7 @@ sd_read_cache_type(struct scsi_disk *sdk
> }
> }
>
> - if (modepage == 0x3F) {
> + if (modepage == 0x3F || offset + 2 >= len) {
> sd_printk(KERN_ERR, sdkp, "No Caching mode page "
> "present\n");
> goto defaults;
If you do this, the buggy "if" becomes dead code (the loop above doesn't
have any "break", so you know that offset >= len and the new condition
is always true).
So the patch does indeed prevent the bug, but the code can be simplified.
Paolo
next prev parent reply other threads:[~2013-09-04 14:45 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-04 0:31 Potential out-of-bounds access in drivers/scsi/sd.c Dmitry Vyukov
2013-09-04 14:32 ` Alan Stern
2013-09-04 14:45 ` Paolo Bonzini [this message]
2013-09-04 15:42 ` Alan Stern
2013-09-05 13:38 ` Hannes Reinecke
2013-09-06 15:49 ` [PATCH] SCSI: Fix potential " Alan Stern
2013-09-06 16:24 ` Paolo Bonzini
2013-09-09 6:25 ` Hannes Reinecke
2013-09-04 15:37 ` Potential " Dmitry Vyukov
2013-09-04 15:42 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52274799.4090605@redhat.com \
--to=pbonzini@redhat.com \
--cc=andreyknvl@google.com \
--cc=dvyukov@google.com \
--cc=jbottomley@parallels.com \
--cc=kcc@google.com \
--cc=linux-scsi@vger.kernel.org \
--cc=ltuikov@yahoo.com \
--cc=richard@r-senior.demon.co.uk \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.