Re: [PATCH] scsi: sr: fix oob access in get_capabilities
From: Kefeng Wang
Date: Mon Mar 06 2017 - 02:33:55 EST
Hi allï
On 2017/3/3 18:17, Kefeng Wang wrote:
> 'n = header_length + block_descriptor_length' could be greater than 512,
> and will lead to oob access, so enlarge transfer buffer to fix it.
I am not familiar with scsi protocolïso the patch may be wrong.
Question, is it reasonable for block_descriptor_length = 512 when mode page = 0x2a?
The value shown belowï
[ 4.516108] get_capabilities, n = 520, head_len = 8, blk_des_len = 512
>
> ===
> BUG: KASAN: slab-out-of-bounds in sr_probe+0x570/0xcc0 at addr ffff88000009020e
> Read of size 1 by task kworker/u48:2/188
and the kasan print,
[ 4.516111] ==================================================================
[ 4.516122] BUG: KASAN: slab-out-of-bounds in sr_probe+0x4a3/0xdc0 at addr ffff880000090210
[ 4.516125] Read of size 1 by task kworker/u48:3/677
[ 4.516131] CPU: 18 PID: 677 Comm: kworker/u48:3 Not tainted 4.10.0+ #9
[ 4.516133] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 4.516143] Workqueue: events_unbound async_run_entry_fn
[ 4.516146] Call Trace:
[ 4.516156] dump_stack+0x99/0xe4
[ 4.516162] ? _atomic_dec_and_lock+0x12c/0x12c
[ 4.516166] ? sr_probe+0x4a3/0xdc0
[ 4.516172] kasan_object_err+0x1c/0x80
[ 4.516175] kasan_report.part.0+0x2e4/0x830
[ 4.516182] ? vprintk_default+0x1a/0x20
[ 4.516187] ? printk+0x94/0xb0
[ 4.516190] ? sr_probe+0x4a3/0xdc0
[ 4.516193] kasan_report+0x44/0x70
[ 4.516197] __asan_load1+0x47/0x50
[ 4.516199] sr_probe+0x4a3/0xdc0
[ 4.516204] ? __kernfs_new_node+0x142/0x1c0
[ 4.516207] ? kernfs_next_descendant_post+0x84/0xe0
[ 4.516211] ? kernfs_activate+0xa7/0x150
[ 4.516213] ? sr_block_ioctl+0x130/0x130
[ 4.516218] ? sysfs_do_create_link_sd+0xdd/0x160
[ 4.516224] ? devices_kset_move_last+0x16a/0x220
[ 4.516227] ? device_remove_groups+0x10/0x10
[ 4.516232] ? mutex_lock+0xd/0x30
[ 4.516236] ? device_links_check_suppliers+0x123/0x220
[ 4.516240] ? driver_sysfs_add+0xf9/0x1b0
[ 4.516244] driver_probe_device+0x1bf/0x4f0
[ 4.516249] __device_attach_driver+0xf8/0x1b0
[ 4.516253] ? __driver_attach+0x120/0x120
[ 4.516256] bus_for_each_drv+0xfe/0x190
[ 4.516260] ? bus_rescan_devices+0x20/0x20
[ 4.516263] __device_attach+0x16e/0x200
[ 4.516267] ? device_bind_driver+0x90/0x90
[ 4.516271] ? kobject_uevent_env+0x1ae/0x890
[ 4.516275] device_initial_probe+0xe/0x10
[ 4.516278] bus_probe_device+0x124/0x190
[ 4.516282] device_add+0x883/0xb10
[ 4.516285] ? device_private_init+0x160/0x160
[ 4.516289] ? __pm_runtime_resume+0x4d/0xa0
[ 4.516294] scsi_sysfs_add_sdev+0xdb/0x450
[ 4.516300] scsi_probe_and_add_lun+0x13da/0x1630
[ 4.516305] ? scsi_free_host_dev+0x90/0x90
[ 4.516308] ? rpm_check_suspend_allowed+0x170/0x170
[ 4.516313] ? _raw_spin_unlock_bh+0xb0/0xb0
[ 4.516316] ? rpm_check_suspend_allowed+0x9c/0x170
[ 4.516319] ? __pm_runtime_resume+0x4d/0xa0
[ 4.516323] __scsi_add_device+0x1a1/0x1c0
[ 4.516327] ? scsi_target_reap+0x60/0x60
[ 4.516332] ? async_synchronize_cookie_domain+0xbe/0x1a0
[ 4.516336] ? kobject_put+0x16/0x60
[ 4.516340] ? ata_dev_next+0xe7/0x220
[ 4.516345] ata_scsi_scan_host+0x18f/0x2d0
[ 4.516349] async_port_probe+0x5b/0xa0
[ 4.516353] ? ata_port_probe+0x80/0x80
[ 4.516357] async_run_entry_fn+0xe1/0x3b0
[ 4.516361] ? current_is_async+0x70/0x70
[ 4.516364] ? __schedule+0x487/0xde0
[ 4.516371] ? pwq_dec_nr_in_flight+0xc9/0x1f0
[ 4.516375] process_one_work+0x46a/0xb40
[ 4.516380] ? cancel_delayed_work_sync+0x10/0x10
[ 4.516384] ? worker_enter_idle+0x256/0x4d0
[ 4.516387] ? pool_mayday_timeout+0x420/0x420
[ 4.516391] worker_thread+0x10d/0x930
[ 4.516396] ? process_one_work+0xb40/0xb40
[ 4.516400] ? _raw_spin_unlock_bh+0xb0/0xb0
[ 4.516404] ? __wake_up_common+0x90/0x140
[ 4.516407] kthread+0x1cf/0x2b0
[ 4.516411] ? process_one_work+0xb40/0xb40
[ 4.516414] ? kthread_create_on_node+0xa0/0xa0
[ 4.516418] ret_from_fork+0x29/0x40
[ 4.516421] Object at ffff880000090000, in cache dma-kmalloc-512 size: 512
[ 4.516421] Allocated:
[ 4.516422] PID = 677
[ 4.516426] save_stack_trace+0x16/0x20
[ 4.516429] save_stack+0x46/0xd0
[ 4.516432] kasan_kmalloc+0xad/0xe0
[ 4.516434] __kmalloc+0x123/0x2f0
[ 4.516437] sr_probe+0x3a4/0xdc0
[ 4.516441] driver_probe_device+0x1bf/0x4f0
[ 4.516444] __device_attach_driver+0xf8/0x1b0
[ 4.516448] bus_for_each_drv+0xfe/0x190
[ 4.516451] __device_attach+0x16e/0x200
[ 4.516454] device_initial_probe+0xe/0x10
[ 4.516458] bus_probe_device+0x124/0x190
[ 4.516461] device_add+0x883/0xb10
[ 4.516464] scsi_sysfs_add_sdev+0xdb/0x450
[ 4.516468] scsi_probe_and_add_lun+0x13da/0x1630
[ 4.516472] __scsi_add_device+0x1a1/0x1c0
[ 4.516474] ata_scsi_scan_host+0x18f/0x2d0
[ 4.516478] async_port_probe+0x5b/0xa0
[ 4.516482] async_run_entry_fn+0xe1/0x3b0
[ 4.516486] process_one_work+0x46a/0xb40
[ 4.516489] worker_thread+0x10d/0x930
[ 4.516492] kthread+0x1cf/0x2b0
[ 4.516495] ret_from_fork+0x29/0x40
[ 4.516495] Freed:
[ 4.516496] PID = 0
[ 4.516497] (stack is not available)
[ 4.516497] Memory state around the buggy address:
[ 4.516502] ffff880000090100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 4.516505] ffff880000090180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 4.516508] >ffff880000090200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4.516509] ^
[ 4.516511] ffff880000090280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4.516514] ffff880000090300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[...]
>
> Signed-off-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
> ---
> drivers/scsi/sr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
> index 0b29b93..5a80aa6 100644
> --- a/drivers/scsi/sr.c
> +++ b/drivers/scsi/sr.c
> @@ -852,7 +852,7 @@ static void get_capabilities(struct scsi_cd *cd)
>
>
> /* allocate transfer buffer */
> - buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
> + buffer = kmalloc(1024, GFP_KERNEL | GFP_DMA);
> if (!buffer) {
> sr_printk(KERN_ERR, cd, "out of memory.\n");
> return;
>