| Message ID | 20230127063500.1278068-3-shinichiro.kawasaki@wdc.com |
|---|---|
| State | New |
| Headers | show |
| Series | scsi: mpi3mr: fix issues found by KASAN | expand |
On Thu, Jan 26, 2023 at 11:35 PM Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> wrote: > > The function mpi3mr_get_all_tgt_info calculates min_entrylen which holds > the valid entry length in alltgt_info. However, it does not refer > min_entrylen when it calls sg_copy_from_buffer to copy the valid entries > from alltgt_info to job->request_payload. Instead, it specifies the > payload length which is larger than the alltgt_info size, then it causes > "BUG: KASAN: slab-out-of-bounds". Fix the BUG by specifying the correct > length referring the calculated min_entrylen. >>both this and the first patch could have been merged. We will do some more cleanup on this function and provide a new patch, we can hold 1 and 2 for now. > > Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands") > Cc: stable@vger.kernel.org > Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> > --- > drivers/scsi/mpi3mr/mpi3mr_app.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c > index 49916ae617e5..7fb9505723cf 100644 > --- a/drivers/scsi/mpi3mr/mpi3mr_app.c > +++ b/drivers/scsi/mpi3mr/mpi3mr_app.c > @@ -359,7 +359,7 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc, > > sg_copy_from_buffer(job->request_payload.sg_list, > job->request_payload.sg_cnt, > - alltgt_info, job->request_payload.payload_len); > + alltgt_info, sizeof(*alltgt_info) + min_entrylen); > rval = 0; > out: > kfree(alltgt_info); > -- > 2.38.1 >
On Feb 09, 2023 / 10:51, Sathya Prakash Veerichetty wrote: > On Thu, Jan 26, 2023 at 11:35 PM Shin'ichiro Kawasaki > <shinichiro.kawasaki@wdc.com> wrote: > > > > The function mpi3mr_get_all_tgt_info calculates min_entrylen which holds > > the valid entry length in alltgt_info. However, it does not refer > > min_entrylen when it calls sg_copy_from_buffer to copy the valid entries > > from alltgt_info to job->request_payload. Instead, it specifies the > > payload length which is larger than the alltgt_info size, then it causes > > "BUG: KASAN: slab-out-of-bounds". Fix the BUG by specifying the correct > > length referring the calculated min_entrylen. > > >>both this and the first patch could have been merged. We will do some more cleanup on this function and provide a new patch, we can hold 1 and 2 for now. I see. I will squash the first patch and the second patch in v5 series.
diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c index 49916ae617e5..7fb9505723cf 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_app.c +++ b/drivers/scsi/mpi3mr/mpi3mr_app.c @@ -359,7 +359,7 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc, sg_copy_from_buffer(job->request_payload.sg_list, job->request_payload.sg_cnt, - alltgt_info, job->request_payload.payload_len); + alltgt_info, sizeof(*alltgt_info) + min_entrylen); rval = 0; out: kfree(alltgt_info);
The function mpi3mr_get_all_tgt_info calculates min_entrylen which holds the valid entry length in alltgt_info. However, it does not refer min_entrylen when it calls sg_copy_from_buffer to copy the valid entries from alltgt_info to job->request_payload. Instead, it specifies the payload length which is larger than the alltgt_info size, then it causes "BUG: KASAN: slab-out-of-bounds". Fix the BUG by specifying the correct length referring the calculated min_entrylen. Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands") Cc: stable@vger.kernel.org Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> --- drivers/scsi/mpi3mr/mpi3mr_app.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)