scsi: megaraid_sas: array overflow in megasas_dump_frame()

Message ID	20170214163855.GA1687@mwanda (mailing list archive)
State	Accepted, archived
Headers	show Return-Path: <linux-scsi-owner@kernel.org> Date: Tue, 14 Feb 2017 19:38:55 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Kashyap Desai <kashyap.desai@broadcom.com>, Shivasharan S <shivasharan.srikanteshwara@broadcom.com> Cc: Sumit Saxena <sumit.saxena@broadcom.com>, "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] scsi: megaraid_sas: array overflow in megasas_dump_frame() Message-ID: <20170214163855.GA1687@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.6.0 (2016-04-01) Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk

Message ID

20170214163855.GA1687@mwanda (mailing list archive)

State

Accepted, archived

Headers

Date: Tue, 14 Feb 2017 19:38:55 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Kashyap Desai <kashyap.desai@broadcom.com>,
	Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
Cc: Sumit Saxena <sumit.saxena@broadcom.com>,
	"James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [patch] scsi: megaraid_sas: array overflow in megasas_dump_frame()
Message-ID: <20170214163855.GA1687@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk

Commit Message

Dan Carpenter Feb. 14, 2017, 4:38 p.m. UTC

The "sz" variable is in terms of bytes, but we're treating the buffer as
an array of __le32 so we have to divide by 4.

Fixes: def0eab3af86 ("scsi: megaraid_sas: enhance debug logs in OCR context")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Comments

Sumit Saxena Feb. 15, 2017, 6:06 a.m. UTC | #1

>-----Original Message-----
>From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
>Sent: Tuesday, February 14, 2017 10:09 PM
>To: Kashyap Desai; Shivasharan S
>Cc: Sumit Saxena; James E.J. Bottomley; Martin K. Petersen;
>megaraidlinux.pdl@broadcom.com; linux-scsi@vger.kernel.org; kernel-
>janitors@vger.kernel.org
>Subject: [patch] scsi: megaraid_sas: array overflow in
megasas_dump_frame()
>
>The "sz" variable is in terms of bytes, but we're treating the buffer as
an array of
>__le32 so we have to divide by 4.
>
>Fixes: def0eab3af86 ("scsi: megaraid_sas: enhance debug logs in OCR
context")
>Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
>diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c
>b/drivers/scsi/megaraid/megaraid_sas_base.c
>index dc9f42e135bb..7ac9a9ee9bd4 100644
>--- a/drivers/scsi/megaraid/megaraid_sas_base.c
>+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
>@@ -2754,7 +2754,7 @@ megasas_dump_frame(void *mpi_request, int sz)
> 	__le32 *mfp = (__le32 *)mpi_request;
>
> 	printk(KERN_INFO "IO request frame:\n\t");
>-	for (i = 0; i < sz; i++) {
>+	for (i = 0; i < sz / sizeof(__le32); i++) {
> 		if (i && ((i % 8) == 0))
> 			printk("\n\t");
> 		printk("%08x ", le32_to_cpu(mfp[i]));

Thanks for fixing this.
Acked-by: Sumit Saxena<sumit.saxena@broadcom.com>

Sumit Saxena Feb. 15, 2017, 2:17 p.m. UTC | #2

>-----Original Message-----
>From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
>Sent: Tuesday, February 14, 2017 10:09 PM
>To: Kashyap Desai; Shivasharan S
>Cc: Sumit Saxena; James E.J. Bottomley; Martin K. Petersen;
>megaraidlinux.pdl@broadcom.com; linux-scsi@vger.kernel.org; kernel-
>janitors@vger.kernel.org
>Subject: [patch] scsi: megaraid_sas: array overflow in
megasas_dump_frame()
>
>The "sz" variable is in terms of bytes, but we're treating the buffer as
an array of
>__le32 so we have to divide by 4.
>
>Fixes: def0eab3af86 ("scsi: megaraid_sas: enhance debug logs in OCR
context")
>Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
>diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c
>b/drivers/scsi/megaraid/megaraid_sas_base.c
>index dc9f42e135bb..7ac9a9ee9bd4 100644
>--- a/drivers/scsi/megaraid/megaraid_sas_base.c
>+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
>@@ -2754,7 +2754,7 @@ megasas_dump_frame(void *mpi_request, int sz)
> 	__le32 *mfp = (__le32 *)mpi_request;
>
> 	printk(KERN_INFO "IO request frame:\n\t");
>-	for (i = 0; i < sz; i++) {
>+	for (i = 0; i < sz / sizeof(__le32); i++) {
> 		if (i && ((i % 8) == 0))
> 			printk("\n\t");
> 		printk("%08x ", le32_to_cpu(mfp[i]));

Patch looks good. In last reply, Acked-by tag was not in proper format.
Fixing it now. Sorry for inconvenience.
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>

Martin K. Petersen Feb. 16, 2017, 2:38 a.m. UTC | #3

>>>>> "Dan" == Dan Carpenter <dan.carpenter@oracle.com> writes:

Dan> The "sz" variable is in terms of bytes, but we're treating the
Dan> buffer as an array of __le32 so we have to divide by 4.

Dan> Fixes: def0eab3af86 ("scsi: megaraid_sas: enhance debug logs in OCR
Dan> context") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied to 4.11/scsi-queue.

diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index dc9f42e135bb..7ac9a9ee9bd4 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -2754,7 +2754,7 @@  megasas_dump_frame(void *mpi_request, int sz)
 	__le32 *mfp = (__le32 *)mpi_request;
 
 	printk(KERN_INFO "IO request frame:\n\t");
-	for (i = 0; i < sz; i++) {
+	for (i = 0; i < sz / sizeof(__le32); i++) {
 		if (i && ((i % 8) == 0))
 			printk("\n\t");
 		printk("%08x ", le32_to_cpu(mfp[i]));