From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paolo Bonzini Subject: Re: [PATCH] SCSI: Fix potential out-of-bounds access in drivers/scsi/sd.c Date: Fri, 06 Sep 2013 18:24:11 +0200 Message-ID: <522A01AB.4010508@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com ([209.132.183.28]:34066 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756072Ab3IFQY1 (ORCPT ); Fri, 6 Sep 2013 12:24:27 -0400 In-Reply-To: Sender: linux-scsi-owner@vger.kernel.org List-Id: linux-scsi@vger.kernel.org To: Alan Stern Cc: James Bottomley , SCSI development list , Hannes Reinecke , Dmitry Vyukov , richard@r-senior.demon.co.uk, ltuikov@yahoo.com, Andrey Konovalov , Kostya Serebryany Il 06/09/2013 17:49, Alan Stern ha scritto: > This patch fixes an out-of-bounds error in sd_read_cache_type(), found > by Google's AddressSanitizer tool. When the loop ends, we know that > "offset" lies beyond the end of the data in the buffer, so no Caching > mode page was found. In theory it may be present, but the buffer size > is limited to 512 bytes. > > Signed-off-by: Alan Stern > Reported-by: Dmitry Vyukov > CC: Reviewed-by: Paolo Bonzini > > --- > > > [as1709] > > > drivers/scsi/sd.c | 11 +++-------- > 1 file changed, 3 insertions(+), 8 deletions(-) > > Index: usb-3.11/drivers/scsi/sd.c > =================================================================== > --- usb-3.11.orig/drivers/scsi/sd.c > +++ usb-3.11/drivers/scsi/sd.c > @@ -2419,14 +2419,9 @@ sd_read_cache_type(struct scsi_disk *sdk > } > } > > - if (modepage == 0x3F) { > - sd_printk(KERN_ERR, sdkp, "No Caching mode page " > - "present\n"); > - goto defaults; > - } else if ((buffer[offset] & 0x3f) != modepage) { > - sd_printk(KERN_ERR, sdkp, "Got wrong page\n"); > - goto defaults; > - } > + sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n"); > + goto defaults; > + > Page_found: > if (modepage == 8) { > sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0); >