[PATCH 5.4 274/357] scsi: ses: Fix possible desc_ptr out-of-bounds accesses

10 Mar 2023

From: Tomas Henzl thenzl@redhat.com
commit 801ab13d50cf3d26170ee073ea8bb4eececb76ab upstream.
Sanitize possible desc_ptr out-of-bounds accesses in
ses_enclosure_data_process().
Link: https://lore.kernel.org/r/20230202162451.15346-4-thenzl@redhat.com
Cc: stable@vger.kernel.org
Signed-off-by: Tomas Henzl thenzl@redhat.com
Signed-off-by: Martin K. Petersen martin.petersen@oracle.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 drivers/scsi/ses.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -572,15 +572,19 @@ static void ses_enclosure_data_process(s
    		int max_desc_len;
if (desc_ptr) {
-				if (desc_ptr >= buf + page7_len) {
+				if (desc_ptr + 3 >= buf + page7_len) {
    				desc_ptr = NULL;
    			} else {
    				len = (desc_ptr[2] << 8) + desc_ptr[3];
    				desc_ptr += 4;
-					/* Add trailing zero - pushes into
-					 * reserved space */
-					desc_ptr[len] = '\0';
-					name = desc_ptr;
+					if (desc_ptr + len > buf + page7_len)
+						desc_ptr = NULL;
+					else {
+						/* Add trailing zero - pushes into
+						 * reserved space */
+						desc_ptr[len] = '\0';
+						name = desc_ptr;
+					}
    			}
    		}
    		if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||

    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 5.4 274/357] scsi: ses: Fix possible desc_ptr out-of-bounds accesses