From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
Dmitry Vyukov <dvyukov@google.com>,
James Bottomley <JBottomley@Parallels.com>
Subject: [ 01/28] SCSI: sd: Fix potential out-of-bounds access
Date: Tue, 24 Sep 2013 17:07:32 -0700 [thread overview]
Message-ID: <20130925000648.770805490@linuxfoundation.org> (raw)
In-Reply-To: <20130925000648.404447782@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 984f1733fcee3fbc78d47e26c5096921c5d9946a upstream.
This patch fixes an out-of-bounds error in sd_read_cache_type(), found
by Google's AddressSanitizer tool. When the loop ends, we know that
"offset" lies beyond the end of the data in the buffer, so no Caching
mode page was found. In theory it may be present, but the buffer size
is limited to 512 bytes.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/sd.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2135,14 +2135,9 @@ sd_read_cache_type(struct scsi_disk *sdk
}
}
- if (modepage == 0x3F) {
- sd_printk(KERN_ERR, sdkp, "No Caching mode page "
- "present\n");
- goto defaults;
- } else if ((buffer[offset] & 0x3f) != modepage) {
- sd_printk(KERN_ERR, sdkp, "Got wrong page\n");
- goto defaults;
- }
+ sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n");
+ goto defaults;
+
Page_found:
if (modepage == 8) {
sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0);
next prev parent reply other threads:[~2013-09-25 0:07 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-25 0:07 [ 00/28] 3.0.97-stable review Greg Kroah-Hartman
2013-09-25 0:07 ` Greg Kroah-Hartman [this message]
2013-09-25 0:07 ` [ 02/28] crypto: api - Fix race condition in larval lookup Greg Kroah-Hartman
2013-09-25 0:07 ` [ 03/28] powerpc: Handle unaligned ldbrx/stdbrx Greg Kroah-Hartman
2013-09-25 0:07 ` [ 04/28] xen-gnt: prevent adding duplicate gnt callbacks Greg Kroah-Hartman
2013-09-25 0:07 ` [ 05/28] ARM: PCI: versatile: Fix SMAP register offsets Greg Kroah-Hartman
2013-09-25 0:07 ` [ 06/28] usb: xhci: Disable runtime PM suspend for quirky controllers Greg Kroah-Hartman
2013-09-25 0:07 ` [ 07/28] cifs: ensure that srv_mutex is held when dealing with ssocket pointer Greg Kroah-Hartman
2013-09-25 0:07 ` [ 08/28] staging: comedi: dt282x: dt282x_ai_insn_read() always fails Greg Kroah-Hartman
2013-09-25 0:07 ` [ 09/28] USB: mos7720: use GFP_ATOMIC under spinlock Greg Kroah-Hartman
2013-09-25 0:07 ` [ 10/28] USB: mos7720: fix big-endian control requests Greg Kroah-Hartman
2013-09-25 0:07 ` [ 11/28] USB: cdc-wdm: fix race between interrupt handler and tasklet Greg Kroah-Hartman
2013-09-25 0:07 ` [ 12/28] usb: config->desc.bLength may not exceed amount of data returned by the device Greg Kroah-Hartman
2013-09-25 0:07 ` [ 13/28] rculist: list_first_or_null_rcu() should use list_entry_rcu() Greg Kroah-Hartman
2013-09-25 0:07 ` [ 14/28] ASoC: wm8960: Fix PLL register writes Greg Kroah-Hartman
2013-09-25 0:07 ` [ 15/28] ALSA: hda - Add Toshiba Satellite C870 to MSI blacklist Greg Kroah-Hartman
2013-09-25 0:07 ` [ 16/28] ath9k: always clear ps filter bit on new assoc Greg Kroah-Hartman
2013-09-25 0:07 ` [ 17/28] ath9k: avoid accessing MRC registers on single-chain devices Greg Kroah-Hartman
2013-09-25 0:07 ` [ 18/28] HID: pantherlord: validate output report details Greg Kroah-Hartman
2013-09-25 0:07 ` [ 19/28] HID: validate HID report id size Greg Kroah-Hartman
2013-09-25 0:07 ` [ 20/28] HID: ntrig: validate feature report details Greg Kroah-Hartman
2013-09-25 0:07 ` [ 21/28] HID: check for NULL field when setting values Greg Kroah-Hartman
2013-09-25 0:07 ` [ 22/28] ocfs2: fix the end cluster offset of FIEMAP Greg Kroah-Hartman
2013-09-25 0:07 ` [ 23/28] memcg: fix multiple large threshold notifications Greg Kroah-Hartman
2013-09-25 0:07 ` [ 24/28] mm/huge_memory.c: fix potential NULL pointer dereference Greg Kroah-Hartman
2013-09-25 0:07 ` [ 25/28] isofs: Refuse RW mount of the filesystem instead of making it RO Greg Kroah-Hartman
2013-09-25 0:07 ` [ 26/28] mmc: tmio_mmc_dma: fix PIO fallback on SDHI Greg Kroah-Hartman
2013-09-25 0:07 ` [ 27/28] fuse: postpone end_page_writeback() in fuse_writepage_locked() Greg Kroah-Hartman
2013-09-25 0:07 ` [ 28/28] fuse: invalidate inode attributes on xattr modification Greg Kroah-Hartman
2013-09-26 2:22 ` [ 00/28] 3.0.97-stable review Shuah Khan
2013-09-26 2:45 ` Greg Kroah-Hartman
2013-09-27 18:52 ` Teck Choon Giam
2013-09-27 19:21 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130925000648.770805490@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=JBottomley@Parallels.com \
--cc=dvyukov@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).