From patchwork Thu Jul 5 10:09:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Brivio X-Patchwork-Id: 10508521 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 099DF600F5 for ; Thu, 5 Jul 2018 10:10:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EC23C28EB2 for ; Thu, 5 Jul 2018 10:10:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DE81B28EB7; Thu, 5 Jul 2018 10:10:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,HEXHASH_WORD, MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4E8C328EB2 for ; Thu, 5 Jul 2018 10:10:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753428AbeGEKKr (ORCPT ); Thu, 5 Jul 2018 06:10:47 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:55054 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753194AbeGEKKq (ORCPT ); Thu, 5 Jul 2018 06:10:46 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D37C787A72; Thu, 5 Jul 2018 10:10:45 +0000 (UTC) Received: from epycfail.redhat.com (ovpn-200-23.brq.redhat.com [10.40.200.23]) by smtp.corp.redhat.com (Postfix) with ESMTP id 342922026D74; Thu, 5 Jul 2018 10:10:43 +0000 (UTC) From: Stefano Brivio To: "James E . J . Bottomley" , "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org, "Ewan D . Milne" , Stefano Brivio Subject: [PATCH] scsi: ses: Guard against page 10 descriptors changes while processing them Date: Thu, 5 Jul 2018 12:09:44 +0200 Message-Id: <7d6df5e8dc1cb4ea10c9e7b5e500ade076549bee.1530784862.git.sbrivio@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 05 Jul 2018 10:10:45 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 05 Jul 2018 10:10:45 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sbrivio@redhat.com' RCPT:'' Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP SAS page 10 descriptors might change once we re-read them in ses_enclosure_data_process(), causing out-of-bound reads such as this one found by KASAN: [ 321.349000] sd 1:2:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK [ 321.357723] sd 1:2:0:0: [sdb] tag#0 CDB: Read(16) 88 00 00 00 00 04 8b 92 0f 80 00 00 00 08 00 00 [ 321.366604] blk_update_request: I/O error, dev sdb, sector 19521474432 [ 321.373346] sd 1:2:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK [ 321.382074] sd 1:2:0:0: [sdb] tag#0 CDB: Read(16) 88 00 00 00 00 04 8b 92 0f 80 00 00 00 08 00 00 [ 321.390963] blk_update_request: I/O error, dev sdb, sector 19521474432 [ 321.397505] Buffer I/O error on dev sdb, logical block 2440184304, async page read [ 321.736854] ================================================================== [ 321.744090] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0xaa1/0xea0 [ses] [ 321.752352] Read of size 1 at addr ffff8807413710b9 by task systemd-udevd/708 [ 321.759485] [ 321.760990] CPU: 0 PID: 708 Comm: systemd-udevd Tainted: G I ------------ 3.10.0-916.el7.test.x86_64 #1 [ 321.771590] Hardware name: IBM -[7147I10]-/Node 1, System Card, BIOS -[MLE179BUS-1.79]- 07/28/2013 [ 321.780630] Call Trace: [ 321.783093] [] dump_stack+0x19/0x1b [ 321.788236] [] print_address_description+0xfc/0x290 [ 321.802162] [] kasan_report.part.3+0x242/0x330 [ 321.808255] [] __asan_report_load1_noabort+0x34/0x40 [ 321.814869] [] ses_enclosure_data_process+0xaa1/0xea0 [ses] [ 321.822094] [] ses_intf_add+0x85d/0xdde [ses] [ 321.828108] [] class_interface_register+0x219/0x330 [ 321.851979] [] scsi_register_interface+0x38/0x50 [ 321.858247] [] ses_init+0x11/0x1000 [ses] [ 321.863911] [] do_one_initcall+0x12a/0x370 [ 321.869665] [] load_module+0x5e3d/0x7550 [ 321.928619] [] SyS_init_module+0x253/0x350 [ 321.986411] [] system_call_fastpath+0x1c/0x21 [ 321.999029] [ 322.000527] Allocated by task 708: [ 322.003931] [] save_stack+0x43/0xe0 [ 322.009100] [] kasan_kmalloc+0xaa/0xe0 [ 322.014524] [] __kmalloc+0xee/0x270 [ 322.019683] [] ses_intf_add+0xa90/0xdde [ses] [ 322.025710] [] class_interface_register+0x219/0x330 [ 322.032259] [] scsi_register_interface+0x38/0x50 [ 322.038552] [] ses_init+0x11/0x1000 [ses] [ 322.044234] [] do_one_initcall+0x12a/0x370 [ 322.050002] [] load_module+0x5e3d/0x7550 [ 322.055599] [] SyS_init_module+0x253/0x350 [ 322.061371] [] system_call_fastpath+0x1c/0x21 [ 322.067399] [ 322.068897] Freed by task 0: [ 322.071782] (stack is not available) [ 322.075358] [ 322.076857] The buggy address belongs to the object at ffff880741370f00 [ 322.076857] which belongs to the cache kmalloc-512 of size 512 [ 322.089365] The buggy address is located 441 bytes inside of [ 322.089365] 512-byte region [ffff880741370f00, ffff880741371100) [ 322.101089] The buggy address belongs to the page: [ 322.105885] page:ffffea001d04dc00 count:1 mapcount:1638426 mapping: (null) index:0x0 [ 322.114404] page flags: 0x2fffff00004080(slab|head) [ 322.119347] page dumped because: kasan: bad access detected [ 322.124917] [ 322.126416] Memory state around the buggy address: [ 322.131212] ffff880741370f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 322.138431] ffff880741371000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 322.145653] >ffff880741371080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 322.152871] ^ [ 322.157925] ffff880741371100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 322.165144] ffff880741371180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 322.172360] ================================================================== [ 322.179577] Disabling lock debugging due to kernel taint [ 322.184954] ================================================================== [ 322.192180] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0xaa1/0xea0 [ses] [ 322.200443] Read of size 1 at addr ffff8807413710bb by task systemd-udevd/708 Stop processing additional descriptors if we are already at the end of page 10 allocated buffer. Signed-off-by: Stefano Brivio --- drivers/scsi/ses.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c index 62f04c0511cf..d7fcda08a802 100644 --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -605,9 +605,15 @@ static void ses_enclosure_data_process(struct enclosure_device *edev, /* these elements are optional */ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT || type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT || - type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) - addl_desc_ptr += addl_desc_ptr[1] + 2; - + type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) { + /* page 10 descriptors might have changed after + * page allocation, guard against that */ + if (addl_desc_ptr - ses_dev->page10 + 1 < + ses_dev->page10_len) + addl_desc_ptr += addl_desc_ptr[1] + 2; + else + addl_desc_ptr = NULL; + } } } kfree(buf);