From patchwork Fri Mar 3 10:17:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kefeng Wang X-Patchwork-Id: 94829 Delivered-To: patch@linaro.org Received: by 10.182.3.34 with SMTP id 2csp149391obz; Fri, 3 Mar 2017 02:25:39 -0800 (PST) X-Received: by 10.99.51.76 with SMTP id z73mr2490919pgz.137.1488536739766; Fri, 03 Mar 2017 02:25:39 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s9si10168511pgo.309.2017.03.03.02.25.39; Fri, 03 Mar 2017 02:25:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751906AbdCCKZQ (ORCPT + 25 others); Fri, 3 Mar 2017 05:25:16 -0500 Received: from szxga03-in.huawei.com ([45.249.212.189]:3457 "EHLO dggrg03-dlp.huawei.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1751408AbdCCKYq (ORCPT ); Fri, 3 Mar 2017 05:24:46 -0500 Received: from 172.30.72.57 (EHLO DGGEML402-HUB.china.huawei.com) ([172.30.72.57]) by dggrg03-dlp.huawei.com (MOS 4.4.6-GA FastPath queued) with ESMTP id AJM45715; Fri, 03 Mar 2017 18:21:49 +0800 (CST) Received: from linux-ibm.site (10.175.102.37) by DGGEML402-HUB.china.huawei.com (10.3.17.38) with Microsoft SMTP Server id 14.3.301.0; Fri, 3 Mar 2017 18:21:39 +0800 From: Kefeng Wang To: Jens Axboe , "James E.J. Bottomley" , "Martin K. Petersen" CC: , , Kefeng Wang Subject: [PATCH] scsi: sr: fix oob access in get_capabilities Date: Fri, 3 Mar 2017 18:17:52 +0800 Message-ID: <1488536272-10509-1-git-send-email-wangkefeng.wang@huawei.com> X-Mailer: git-send-email 1.7.12.4 MIME-Version: 1.0 X-Originating-IP: [10.175.102.37] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.58B943BE.0185, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: c445aa249079977ec46d7e17a1421097 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 'n = header_length + block_descriptor_length' could be greater than 512, and will lead to oob access, so enlarge transfer buffer to fix it. -- 1.7.12.4 Reported-by: Kefeng Wang Signed-off-by: Martin K. Petersen diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c Tested-by: Kefeng Wang === BUG: KASAN: slab-out-of-bounds in sr_probe+0x570/0xcc0 at addr ffff88000009020e Read of size 1 by task kworker/u48:2/188 Signed-off-by: Kefeng Wang --- drivers/scsi/sr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c index 0b29b93..5a80aa6 100644 --- a/drivers/scsi/sr.c +++ b/drivers/scsi/sr.c @@ -852,7 +852,7 @@ static void get_capabilities(struct scsi_cd *cd) /* allocate transfer buffer */ - buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); + buffer = kmalloc(1024, GFP_KERNEL | GFP_DMA); if (!buffer) { sr_printk(KERN_ERR, cd, "out of memory.\n"); return;