From: sashiko-bot@kernel.org
To: "Bryam Vargas" <hexlabsecurity@proton.me>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH] scsi: ses: skip an enclosure status page shorter than its header
Date: Mon, 06 Jul 2026 04:45:23 +0000 [thread overview]
Message-ID: <20260706044524.161AF1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260705-b4-disp-e1aca452-v1-1-1dab8448608c@proton.me>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
Pre-existing issues:
- [High] The patch prevents a `memset` length underflow by skipping Page 2 processing if `len < 8`, but fails to ensure that `page2` is large enough to hold all component descriptors defined in Page 1, leaving out-of-bounds reads and writes unpatched.
- [High] Missing length validation for Page 1 leads to out-of-bounds reads during descriptor parsing, leading to artificially large component counts.
- [High] Missing bounds check on Page 7 length leads to an unconditional out-of-bounds read.
- [High] Reading the `id` sysfs attribute leaks up to 8 bytes of uninitialized or adjacent kernel heap memory to user-space.
--
commit 30f64f6103a88369da925d5a9a969b26cc05a865
Author: Bryam Vargas <hexlabsecurity@proton.me>
scsi: ses: skip an enclosure status page shorter than its header
This commit prevents a heap out-of-bounds write by ensuring that the diagnostic
page 2 length is at least 8 bytes. It skips the page if the length is shorter
than its header.
> diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
> index 4c348645b04ee..f77054695e125 100644
> --- a/drivers/scsi/ses.c
> +++ b/drivers/scsi/ses.c
> @@ -766,6 +766,9 @@ static int ses_intf_add(struct device *cdev)
> goto page2_not_supported;
>
> len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
> + /* a status page too short for its 8-byte header carries no page 2 */
> + if (len < 8)
> + goto page2_not_supported;
[Severity: High]
This is a pre-existing issue, but does this check go far enough to prevent
out-of-bounds accesses for page 2?
While this ensures the buffer is at least 8 bytes, it doesn't guarantee it is
large enough to hold all component descriptors defined in page 1.
In both ses_set_page2_descriptor() and ses_get_page2_descriptor(), the loops
advance desc_ptr based on page 1 element counts:
drivers/scsi/ses.c:ses_set_page2_descriptor() {
...
memcpy(desc_ptr, desc, 4);
/* set select */
desc_ptr[0] |= 0x80;
...
}
If page2_len is 8, but page 1 defined multiple components, could these loops
still read or write past the end of the page 2 allocation?
[Severity: High]
This is a pre-existing issue, but does page 1 also suffer from missing length
validation that can lead to out-of-bounds reads?
When parsing page 1 elements earlier in ses_intf_add(), the loop condition only
checks the pointer address:
for (i = 0; i < num_enclosures && type_ptr < buf + len; i++) {
types += type_ptr[2];
type_ptr += type_ptr[3] + 4;
}
If len is short (e.g., 9 bytes), the loop body unconditionally accesses
type_ptr[2] and type_ptr[3], reading past the end of the allocation.
This could populate page1_num_types (the types variable) with untrusted heap
data.
Later in ses_enclosure_data_process(), the code iterates using this untrusted
types count without verifying against page1_len:
for (i = 0; i < types; i++, type_ptr += 4) {
for (j = 0; j < type_ptr[1]; j++) {
Could this lead to further out-of-bounds memory accesses?
[Severity: High]
This is a pre-existing issue, but is there a similar missing bounds check on
page 7?
In ses_enclosure_data_process(), the page 7 length is derived from its header.
If the device returns a length smaller than 8, the buffer is allocated too
small, but the code still unconditionally reads offsets 10 and 11:
desc_ptr = buf + 8;
len = (desc_ptr[2] << 8) + desc_ptr[3];
Could this lead to an unconditional out-of-bounds read if the page 7 buffer is
smaller than 12 bytes?
[Severity: High]
This is a pre-existing issue, but can ses_show_id() leak adjacent kernel heap
memory to user-space?
If a device returns a page 1 shorter than 20 bytes, ses_intf_add() will allocate
a small buffer.
However, ses_show_id() unconditionally reads 8 bytes from offset 12:
unsigned long long id = get_unaligned_be64(ses_dev->page1+8+4);
return sprintf(buf, "%#llx\n", id);
If page1_len is not validated, could this expose uninitialized or adjacent
heap memory via the id sysfs attribute?
> buf = kzalloc(len, GFP_KERNEL);
> if (!buf)
> goto err_free;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260705-b4-disp-e1aca452-v1-1-1dab8448608c@proton.me?part=1
prev parent reply other threads:[~2026-07-06 4:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 4:35 [PATCH] scsi: ses: skip an enclosure status page shorter than its header Bryam Vargas via B4 Relay
2026-07-06 4:45 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260706044524.161AF1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=hexlabsecurity@proton.me \
--cc=linux-scsi@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox