From patchwork Fri Mar 3 10:17:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kefeng Wang X-Patchwork-Id: 9602493 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A14B46016C for ; Fri, 3 Mar 2017 10:25:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 93A12285E3 for ; Fri, 3 Mar 2017 10:25:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 880BD28601; Fri, 3 Mar 2017 10:25:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 186FD285E3 for ; Fri, 3 Mar 2017 10:25:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751657AbdCCKZP (ORCPT ); Fri, 3 Mar 2017 05:25:15 -0500 Received: from szxga03-in.huawei.com ([45.249.212.189]:3457 "EHLO dggrg03-dlp.huawei.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1751408AbdCCKYq (ORCPT ); Fri, 3 Mar 2017 05:24:46 -0500 Received: from 172.30.72.57 (EHLO DGGEML402-HUB.china.huawei.com) ([172.30.72.57]) by dggrg03-dlp.huawei.com (MOS 4.4.6-GA FastPath queued) with ESMTP id AJM45715; Fri, 03 Mar 2017 18:21:49 +0800 (CST) Received: from linux-ibm.site (10.175.102.37) by DGGEML402-HUB.china.huawei.com (10.3.17.38) with Microsoft SMTP Server id 14.3.301.0; Fri, 3 Mar 2017 18:21:39 +0800 From: Kefeng Wang To: Jens Axboe , "James E.J. Bottomley" , "Martin K. Petersen" CC: , , Kefeng Wang Subject: [PATCH] scsi: sr: fix oob access in get_capabilities Date: Fri, 3 Mar 2017 18:17:52 +0800 Message-ID: <1488536272-10509-1-git-send-email-wangkefeng.wang@huawei.com> X-Mailer: git-send-email 1.7.12.4 MIME-Version: 1.0 X-Originating-IP: [10.175.102.37] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.58B943BE.0185, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: c445aa249079977ec46d7e17a1421097 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP 'n = header_length + block_descriptor_length' could be greater than 512, and will lead to oob access, so enlarge transfer buffer to fix it. === BUG: KASAN: slab-out-of-bounds in sr_probe+0x570/0xcc0 at addr ffff88000009020e Read of size 1 by task kworker/u48:2/188 Signed-off-by: Kefeng Wang --- drivers/scsi/sr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c index 0b29b93..5a80aa6 100644 --- a/drivers/scsi/sr.c +++ b/drivers/scsi/sr.c @@ -852,7 +852,7 @@ static void get_capabilities(struct scsi_cd *cd) /* allocate transfer buffer */ - buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); + buffer = kmalloc(1024, GFP_KERNEL | GFP_DMA); if (!buffer) { sr_printk(KERN_ERR, cd, "out of memory.\n"); return;