[PATCH] [SCSI] esas2r: fix possible buffer overflow caused by bad DMA value in esas2r_process_vda_ioctl()

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

From: Qiu-ji Chen <chenqiuji666@gmail.com>
To: linuxdrivers@attotech.com, James.Bottomley@HansenPartnership.com,
	martin.petersen@oracle.com
Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
	baijiaju1990@gmail.com, Qiu-ji Chen <chenqiuji666@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH] [SCSI] esas2r: fix possible buffer overflow caused by bad DMA value in esas2r_process_vda_ioctl()
Date: Thu,  7 Nov 2024 19:36:17 +0800	[thread overview]
Message-ID: <20241107113617.402343-1-chenqiuji666@gmail.com> (raw)

In line 1854 of the file esas2r_ioctl.c, the function 
esas2r_process_vda_ioctl() is called with the parameter vi being assigned 
the value of a->vda_buffer. On line 1892, a->vda_buffer is stored in DMA 
memory with the statement 
a->vda_buffer = dma_alloc_coherent(&a->pcid->dev, ..., indicating that the 
parameter vi passed to the function is also stored in DMA memory. This 
suggests that the parameter vi could be altered at any time by malicious 
hardware. If vi’s value is changed after the first conditional check 
if (vi->function >= vercnt), it is likely that an array out-of-bounds 
access could occur in the subsequent check 
if (vi->version > esas2r_vdaioctl_versions[vi_function]), leading to 
serious issues.

To fix this issue, we will store the value of vi->function in a local 
variable to ensure that the subsequent checks remain valid.

Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com>
Cc: stable@vger.kernel.org
Fixes: 26780d9e12ed ("[SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver")
---
 drivers/scsi/esas2r/esas2r_vda.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/scsi/esas2r/esas2r_vda.c b/drivers/scsi/esas2r/esas2r_vda.c
index 30028e56df63..48af8c05b01d 100644
--- a/drivers/scsi/esas2r/esas2r_vda.c
+++ b/drivers/scsi/esas2r/esas2r_vda.c
@@ -70,16 +70,17 @@ bool esas2r_process_vda_ioctl(struct esas2r_adapter *a,
 	u32 datalen = 0;
 	struct atto_vda_sge *firstsg = NULL;
 	u8 vercnt = (u8)ARRAY_SIZE(esas2r_vdaioctl_versions);
+	u8 vi_function = vi->function;
 
 	vi->status = ATTO_STS_SUCCESS;
 	vi->vda_status = RS_PENDING;
 
-	if (vi->function >= vercnt) {
+	if (vi_function >= vercnt) {
 		vi->status = ATTO_STS_INV_FUNC;
 		return false;
 	}
 
-	if (vi->version > esas2r_vdaioctl_versions[vi->function]) {
+	if (vi->version > esas2r_vdaioctl_versions[vi_function]) {
 		vi->status = ATTO_STS_INV_VERSION;
 		return false;
 	}
@@ -89,14 +90,14 @@ bool esas2r_process_vda_ioctl(struct esas2r_adapter *a,
 		return false;
 	}
 
-	if (vi->function != VDA_FUNC_SCSI)
+	if (vi_function != VDA_FUNC_SCSI)
 		clear_vda_request(rq);
 
-	rq->vrq->scsi.function = vi->function;
+	rq->vrq->scsi.function = vi_function;
 	rq->interrupt_cb = esas2r_complete_vda_ioctl;
 	rq->interrupt_cx = vi;
 
-	switch (vi->function) {
+	switch (vi_function) {
 	case VDA_FUNC_FLASH:
 
 		if (vi->cmd.flash.sub_func != VDA_FLASH_FREAD
-- 
2.34.1

next             reply	other threads:[~2024-11-07 11:36 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-07 11:36 Qiu-ji Chen [this message]
2024-11-07 15:08 ` [PATCH] [SCSI] esas2r: fix possible buffer overflow caused by bad DMA value in esas2r_process_vda_ioctl() Greg KH
  -- strict thread matches above, loose matches on Subject: below --
2024-06-12  9:31 Huai-Yuan Liu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:30028e56df6 dfblob:48af8c05b01 )
 OR (
bs:"[PATCH] [SCSI] esas2r: fix possible buffer overflow caused by bad DMA value in esas2r_process_vda_ioctl()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241107113617.402343-1-chenqiuji666@gmail.com \
    --to=chenqiuji666@gmail.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=baijiaju1990@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=linuxdrivers@attotech.com \
    --cc=martin.petersen@oracle.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox