[Bug 218436] New: UBSAN: array-index-out-of-bounds in drivers/scsi/aacraid/aachba.c

[bugzilla-daemon@kernel.org]

https://bugzilla.kernel.org/show_bug.cgi?id=218436

            Bug ID: 218436
           Summary: UBSAN: array-index-out-of-bounds in
                    drivers/scsi/aacraid/aachba.c
           Product: SCSI Drivers
           Version: 2.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: AACRAID
          Assignee: scsi_drivers-aacraid@kernel-bugs.osdl.org
          Reporter: temnota.am@gmail.com
        Regression: No

UBSAN produced warnings on boot:

UBSAN: array-index-out-of-bounds in
/ml-build/mainline-stable/drivers/scsi/aacraid/aachba.c:3900:10
index 1 is out of range for type 'sgentryraw [1]'
CPU: 2 PID: 137 Comm: (udev-worker) Not tainted 6.7-672-generic #0~lch12
Hardware name: Intel S5000VSA/S5000VSA, BIOS S5000.86B.15.00.0101.110920101604
11/09/2010
Call Trace:
 <TASK>
 dump_stack_lvl+0x48/0x70
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xc6/0x110
 aac_build_sgraw+0x261/0x2d0 [aacraid]
 aac_read_raw_io+0xaa/0x1c0 [aacraid]
 aac_read+0xf5/0x2a0 [aacraid]
 aac_scsi_cmd+0x7c3/0xe50 [aacraid]
 ? sd_init_command+0xfc/0x430
 aac_queuecommand+0x1b/0x30 [aacraid]
 scsi_dispatch_cmd+0x91/0x240
 scsi_queue_rq+0x2cc/0x680
 blk_mq_dispatch_rq_list+0x133/0x580
 ? sbitmap_get+0x73/0x180
 __blk_mq_do_dispatch_sched+0xbb/0x300
 __blk_mq_sched_dispatch_requests+0x151/0x190
 blk_mq_sched_dispatch_requests+0x37/0x80
 blk_mq_run_hw_queue+0x1c5/0x210
 blk_mq_dispatch_plug_list+0x13c/0x2c0
 blk_mq_flush_plug_list.part.0+0x5c/0x190
 blk_mq_flush_plug_list+0x19/0x30
 __blk_flush_plug+0xdf/0x130
 blk_finish_plug+0x31/0x50
 read_pages+0x1c2/0x290
 page_cache_ra_unbounded+0x135/0x1d0
 force_page_cache_ra+0x9b/0xd0
 page_cache_sync_ra+0x30/0xa0
 filemap_get_pages+0x109/0x3b0
 filemap_read+0xf5/0x460
 blkdev_read_iter+0x6d/0x160
 vfs_read+0x1fe/0x330
 ksys_read+0x73/0x100
 __x64_sys_read+0x19/0x30
 do_syscall_64+0x5f/0xf0
 ? count_memcg_events.constprop.0+0x2a/0x50
 ? handle_mm_fault+0xad/0x380
 ? do_user_addr_fault+0x21e/0x6c0
 ? exit_to_user_mode_prepare+0x30/0xb0
 ? irqentry_exit_to_user_mode+0x17/0x20
 ? irqentry_exit+0x43/0x50
 ? exc_page_fault+0x94/0x1b0
 entry_SYSCALL_64_after_hwframe+0x6e/0x76
RIP: 0033:0x77ed57d5509d
Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 55 0a 00 e8 89 fe 01 00 66 0f 1f 84
00 00 00 00 00 80 3d 41 25 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b
c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec
RSP: 002b:00007ffdfc4944b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000064784280e420 RCX: 000077ed57d5509d
RDX: 0000000000040000 RSI: 000077ed57522038 RDI: 000000000000000d
RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000022 R11: 0000000000000246 R12: 000077ed57522010
R13: 0000000000040000 R14: 000064784280e478 R15: 000077ed57522028
 </TASK>

and with same backtrace with structure access on lines 3901-3905:
UBSAN: array-index-out-of-bounds in
/ml-build/mainline-stable/drivers/scsi/aacraid/aachba.c:3901:10
index 1 is out of range for type 'sgentryraw [1]'

UBSAN: array-index-out-of-bounds in
/ml-build/mainline-stable/drivers/scsi/aacraid/aachba.c:3902:10
index 1 is out of range for type 'sgentryraw [1]'

UBSAN: array-index-out-of-bounds in
/ml-build/mainline-stable/drivers/scsi/aacraid/aachba.c:3903:10
index 1 is out of range for type 'sgentryraw [1]'

UBSAN: array-index-out-of-bounds in
/ml-build/mainline-stable/drivers/scsi/aacraid/aachba.c:3904:10
index 1 is out of range for type 'sgentryraw [1]'

UBSAN: array-index-out-of-bounds in
/ml-build/mainline-stable/drivers/scsi/aacraid/aachba.c:3905:10
index 1 is out of range for type 'sgentryraw [1]'

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.