[PATCH] scsi: NCR5380: Prevent potential out-of-bounds read in spi_print_msg()

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Rand Deeb <rand.sec96@gmail.com>
To: Finn Thain <fthain@linux-m68k.org>,
	Michael Schmitz <schmitzmic@gmail.com>,
	"James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	linux-scsi@vger.kernel.org (open list:NCR 5380 SCSI DRIVERS),
	linux-kernel@vger.kernel.org (open list)
Cc: deeb.rand@confident.ru, lvc-project@linuxtesting.org,
	voskresenski.stanislav@confident.ru,
	Rand Deeb <rand.sec96@gmail.com>
Subject: [PATCH] scsi: NCR5380: Prevent potential out-of-bounds read in spi_print_msg()
Date: Wed, 30 Apr 2025 14:59:26 +0300	[thread overview]
Message-ID: <20250430115926.6335-1-rand.sec96@gmail.com> (raw)

spi_print_msg() assumes that the input buffer is large enough to
contain the full SCSI message, including extended messages which may
access msg[2], msg[3], msg[7], and beyond based on message type.

NCR5380_reselect() currently allocates a 3-byte buffer for 'msg'
and reads only a single byte from the SCSI bus before passing it to
spi_print_msg(), which can result in a potential out-of-bounds read
if the message is malformed or declares a longer length.

This patch increases the buffer size to 16 bytes and reads up to
16 bytes from the SCSI bus. A length check is also added to ensure
the message is well-formed before passing it to spi_print_msg().

This ensures safe handling of all valid SCSI messages and prevents
undefined behavior due to malformed or malicious input.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
---
 drivers/scsi/NCR5380.c | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c
index 0e10502660de..2d2a1244af62 100644
--- a/drivers/scsi/NCR5380.c
+++ b/drivers/scsi/NCR5380.c
@@ -2026,7 +2026,7 @@ static void NCR5380_reselect(struct Scsi_Host *instance)
 	struct NCR5380_hostdata *hostdata = shost_priv(instance);
 	unsigned char target_mask;
 	unsigned char lun;
-	unsigned char msg[3];
+	unsigned char msg[16];
 	struct NCR5380_cmd *ncmd;
 	struct scsi_cmnd *tmp;
 
@@ -2084,7 +2084,7 @@ static void NCR5380_reselect(struct Scsi_Host *instance)
 	msg[0] = NCR5380_read(CURRENT_SCSI_DATA_REG);
 #else
 	{
-		int len = 1;
+		int len = sizeof(msg);
 		unsigned char *data = msg;
 		unsigned char phase = PHASE_MSGIN;
 
@@ -2099,7 +2099,26 @@ static void NCR5380_reselect(struct Scsi_Host *instance)
 
 	if (!(msg[0] & 0x80)) {
 		shost_printk(KERN_ERR, instance, "expecting IDENTIFY message, got ");
-		spi_print_msg(msg);
+
+		/*
+		 * Defensive check before calling spi_print_msg():
+		 * Avoid buffer overrun if msg claims extended length.
+		 */
+		if (msg[0] == EXTENDED_MESSAGE && len >= 3) {
+			int expected_len = 2 + msg[1];
+
+			if (expected_len == 2)
+				expected_len += 256;
+
+			if (len >= expected_len)
+				spi_print_msg(msg);
+			else
+				pr_warn("spi_print_msg: skipping malformed extended message (len=%d, expected=%d)\n",
+					len, expected_len);
+		} else {
+			spi_print_msg(msg);
+		}
+
 		printk("\n");
 		do_abort(instance, 0);
 		return;
-- 
2.34.1

next             reply	other threads:[~2025-04-30 12:00 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-30 11:59 Rand Deeb [this message]
2025-04-30 12:59 ` [PATCH] scsi: NCR5380: Prevent potential out-of-bounds read in spi_print_msg() James Bottomley
2025-05-05  5:00   ` Rand Deeb
2025-05-01  3:40 ` Finn Thain
2025-05-07  7:31 ` kernel test robot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0e10502660d dfblob:2d2a1244af6 )
 OR (
bs:"[PATCH] scsi: NCR5380: Prevent potential out-of-bounds read in spi_print_msg()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250430115926.6335-1-rand.sec96@gmail.com \
    --to=rand.sec96@gmail.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=deeb.rand@confident.ru \
    --cc=fthain@linux-m68k.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=lvc-project@linuxtesting.org \
    --cc=martin.petersen@oracle.com \
    --cc=schmitzmic@gmail.com \
    --cc=voskresenski.stanislav@confident.ru \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).