From nobody Mon May 11 04:11:19 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EF69C433F5 for ; Fri, 15 Apr 2022 03:23:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349072AbiDODZt (ORCPT ); Thu, 14 Apr 2022 23:25:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54724 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349043AbiDODZo (ORCPT ); Thu, 14 Apr 2022 23:25:44 -0400 Received: from out30-133.freemail.mail.aliyun.com (out30-133.freemail.mail.aliyun.com [115.124.30.133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5B0779D4F0; Thu, 14 Apr 2022 20:23:17 -0700 (PDT) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R881e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04426;MF=dtcccc@linux.alibaba.com;NM=1;PH=DS;RN=4;SR=0;TI=SMTPD_---0VA5Gud0_1649992993; Received: from localhost.localdomain(mailfrom:dtcccc@linux.alibaba.com fp:SMTPD_---0VA5Gud0_1649992993) by smtp.aliyun-inc.com(127.0.0.1); Fri, 15 Apr 2022 11:23:14 +0800 From: Tianchen Ding To: "James E.J. Bottomley" , "Martin K. Petersen" Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH] scsi: ses: Fix out-of-bound write at ses_enclosure_data_process() Date: Fri, 15 Apr 2022 11:23:13 +0800 Message-Id: <20220415032313.94991-1-dtcccc@linux.alibaba.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Our modified KFENCE reported a memory corruption: [ =C2=A0 52.584914] BUG: KFENCE: memory corruption in ses_enclosure_data_pr= ocess+0x24b/0x310 [ses] [ =C2=A0 52.584917] Corrupted memory at 0xffff88982de06ff0 [ 0x00 . . . . .= . . . . . . . . . . ] (in kfence-#1624698): [ =C2=A0 52.607212] =C2=A0ses_enclosure_data_process+0x24b/0x310 [ses] [ =C2=A0 52.607215] =C2=A0ses_intf_add+0x444/0x542 [ses] [ =C2=A0 52.621369] =C2=A0class_interface_register+0x110/0x120 [ =C2=A0 52.621373] =C2=A0ses_init+0x13/0x1000 [ses] [ =C2=A0 52.621377] =C2=A0do_one_initcall+0x41/0x1c0 [ =C2=A0 52.621380] =C2=A0do_init_module+0x5c/0x260 [ =C2=A0 52.621382] =C2=A0__do_sys_finit_module+0xb1/0x110 [ =C2=A0 52.621386] =C2=A0do_syscall_64+0x2d/0x40 [ =C2=A0 52.621388] =C2=A0entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ =C2=A0 52.621393] kfence-#1624698 [0xffff88982de06fc0-0xffff88982de06fe0,= size=3D33, cache=3Dkmalloc-64] allocated by task 1033: [ =C2=A0 52.670344] =C2=A0ses_enclosure_data_process+0x2ae/0x310 [ses] [ =C2=A0 52.670347] =C2=A0ses_intf_add+0x444/0x542 [ses] [ =C2=A0 52.670353] =C2=A0class_interface_register+0x110/0x120 [ =C2=A0 52.688165] =C2=A0ses_init+0x13/0x1000 [ses] [ =C2=A0 52.688169] =C2=A0do_one_initcall+0x41/0x1c0 [ =C2=A0 52.688172] =C2=A0do_init_module+0x5c/0x260 [ =C2=A0 52.688174] =C2=A0__do_sys_finit_module+0xb1/0x110 [ =C2=A0 52.688177] =C2=A0do_syscall_64+0x2d/0x40 [ =C2=A0 52.688179] =C2=A0entry_SYSCALL_64_after_hwframe+0x44/0xa9 This is because we check desc_ptr >=3D buf + page7_len first but then write '\0' to desc_ptr[len+4], while this address may be out of bound. Fixes: 21fab1d0595e ("[SCSI] ses: update enclosure data on hot add") Signed-off-by: Tianchen Ding --- drivers/scsi/ses.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c index 0a1734f34587..06b991e27c84 100644 --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -559,11 +559,11 @@ static void ses_enclosure_data_process(struct enclosu= re_device *edev, struct enclosure_component *ecomp; =20 if (desc_ptr) { - if (desc_ptr >=3D buf + page7_len) { + len =3D (desc_ptr[2] << 8) + desc_ptr[3]; + desc_ptr +=3D 4; + if (desc_ptr + len > buf + page7_len) { desc_ptr =3D NULL; } else { - len =3D (desc_ptr[2] << 8) + desc_ptr[3]; - desc_ptr +=3D 4; /* Add trailing zero - pushes into * reserved space */ desc_ptr[len] =3D '\0'; --=20 2.33.0