Hi all,

On 2017/3/3 18:17, Kefeng Wang wrote:
> 'n = header_length + block_descriptor_length' could be greater than 512,
> and will lead to oob access, so enlarge transfer buffer to fix it.

I am not familiar with scsi protocol,so the patch may be wrong.
Question, is it reasonable for block_descriptor_length = 512 when mode page = 
0x2a?

The value shown below,

[    4.516108] get_capabilities, n = 520, head_len = 8, blk_des_len = 512

> 
> ===
> BUG: KASAN: slab-out-of-bounds in sr_probe+0x570/0xcc0 at addr 
> ffff88000009020e
> Read of size 1 by task kworker/u48:2/188
and the kasan print,

[    4.516111] 
==================================================================
[    4.516122] BUG: KASAN: slab-out-of-bounds in sr_probe+0x4a3/0xdc0 at addr 
ffff880000090210
[    4.516125] Read of size 1 by task kworker/u48:3/677
[    4.516131] CPU: 18 PID: 677 Comm: kworker/u48:3 Not tainted 4.10.0+ #9
[    4.516133] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[    4.516143] Workqueue: events_unbound async_run_entry_fn
[    4.516146] Call Trace:
[    4.516156]  dump_stack+0x99/0xe4
[    4.516162]  ? _atomic_dec_and_lock+0x12c/0x12c
[    4.516166]  ? sr_probe+0x4a3/0xdc0
[    4.516172]  kasan_object_err+0x1c/0x80
[    4.516175]  kasan_report.part.0+0x2e4/0x830
[    4.516182]  ? vprintk_default+0x1a/0x20
[    4.516187]  ? printk+0x94/0xb0
[    4.516190]  ? sr_probe+0x4a3/0xdc0
[    4.516193]  kasan_report+0x44/0x70
[    4.516197]  __asan_load1+0x47/0x50
[    4.516199]  sr_probe+0x4a3/0xdc0
[    4.516204]  ? __kernfs_new_node+0x142/0x1c0
[    4.516207]  ? kernfs_next_descendant_post+0x84/0xe0
[    4.516211]  ? kernfs_activate+0xa7/0x150
[    4.516213]  ? sr_block_ioctl+0x130/0x130
[    4.516218]  ? sysfs_do_create_link_sd+0xdd/0x160
[    4.516224]  ? devices_kset_move_last+0x16a/0x220
[    4.516227]  ? device_remove_groups+0x10/0x10
[    4.516232]  ? mutex_lock+0xd/0x30
[    4.516236]  ? device_links_check_suppliers+0x123/0x220
[    4.516240]  ? driver_sysfs_add+0xf9/0x1b0
[    4.516244]  driver_probe_device+0x1bf/0x4f0
[    4.516249]  __device_attach_driver+0xf8/0x1b0
[    4.516253]  ? __driver_attach+0x120/0x120
[    4.516256]  bus_for_each_drv+0xfe/0x190
[    4.516260]  ? bus_rescan_devices+0x20/0x20
[    4.516263]  __device_attach+0x16e/0x200
[    4.516267]  ? device_bind_driver+0x90/0x90
[    4.516271]  ? kobject_uevent_env+0x1ae/0x890
[    4.516275]  device_initial_probe+0xe/0x10
[    4.516278]  bus_probe_device+0x124/0x190
[    4.516282]  device_add+0x883/0xb10
[    4.516285]  ? device_private_init+0x160/0x160
[    4.516289]  ? __pm_runtime_resume+0x4d/0xa0
[    4.516294]  scsi_sysfs_add_sdev+0xdb/0x450
[    4.516300]  scsi_probe_and_add_lun+0x13da/0x1630
[    4.516305]  ? scsi_free_host_dev+0x90/0x90
[    4.516308]  ? rpm_check_suspend_allowed+0x170/0x170
[    4.516313]  ? _raw_spin_unlock_bh+0xb0/0xb0
[    4.516316]  ? rpm_check_suspend_allowed+0x9c/0x170
[    4.516319]  ? __pm_runtime_resume+0x4d/0xa0
[    4.516323]  __scsi_add_device+0x1a1/0x1c0
[    4.516327]  ? scsi_target_reap+0x60/0x60
[    4.516332]  ? async_synchronize_cookie_domain+0xbe/0x1a0
[    4.516336]  ? kobject_put+0x16/0x60
[    4.516340]  ? ata_dev_next+0xe7/0x220
[    4.516345]  ata_scsi_scan_host+0x18f/0x2d0
[    4.516349]  async_port_probe+0x5b/0xa0
[    4.516353]  ? ata_port_probe+0x80/0x80
[    4.516357]  async_run_entry_fn+0xe1/0x3b0
[    4.516361]  ? current_is_async+0x70/0x70
[    4.516364]  ? __schedule+0x487/0xde0
[    4.516371]  ? pwq_dec_nr_in_flight+0xc9/0x1f0
[    4.516375]  process_one_work+0x46a/0xb40
[    4.516380]  ? cancel_delayed_work_sync+0x10/0x10
[    4.516384]  ? worker_enter_idle+0x256/0x4d0
[    4.516387]  ? pool_mayday_timeout+0x420/0x420
[    4.516391]  worker_thread+0x10d/0x930
[    4.516396]  ? process_one_work+0xb40/0xb40
[    4.516400]  ? _raw_spin_unlock_bh+0xb0/0xb0
[    4.516404]  ? __wake_up_common+0x90/0x140
[    4.516407]  kthread+0x1cf/0x2b0
[    4.516411]  ? process_one_work+0xb40/0xb40
[    4.516414]  ? kthread_create_on_node+0xa0/0xa0
[    4.516418]  ret_from_fork+0x29/0x40
[    4.516421] Object at ffff880000090000, in cache dma-kmalloc-512 size: 512
[    4.516421] Allocated:
[    4.516422] PID = 677
[    4.516426]  save_stack_trace+0x16/0x20
[    4.516429]  save_stack+0x46/0xd0
[    4.516432]  kasan_kmalloc+0xad/0xe0
[    4.516434]  __kmalloc+0x123/0x2f0
[    4.516437]  sr_probe+0x3a4/0xdc0
[    4.516441]  driver_probe_device+0x1bf/0x4f0
[    4.516444]  __device_attach_driver+0xf8/0x1b0
[    4.516448]  bus_for_each_drv+0xfe/0x190
[    4.516451]  __device_attach+0x16e/0x200
[    4.516454]  device_initial_probe+0xe/0x10
[    4.516458]  bus_probe_device+0x124/0x190
[    4.516461]  device_add+0x883/0xb10
[    4.516464]  scsi_sysfs_add_sdev+0xdb/0x450
[    4.516468]  scsi_probe_and_add_lun+0x13da/0x1630
[    4.516472]  __scsi_add_device+0x1a1/0x1c0
[    4.516474]  ata_scsi_scan_host+0x18f/0x2d0
[    4.516478]  async_port_probe+0x5b/0xa0
[    4.516482]  async_run_entry_fn+0xe1/0x3b0
[    4.516486]  process_one_work+0x46a/0xb40
[    4.516489]  worker_thread+0x10d/0x930
[    4.516492]  kthread+0x1cf/0x2b0
[    4.516495]  ret_from_fork+0x29/0x40
[    4.516495] Freed:
[    4.516496] PID = 0
[    4.516497] (stack is not available)
[    4.516497] Memory state around the buggy address:
[    4.516502]  ffff880000090100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00
[    4.516505]  ffff880000090180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00
[    4.516508] >ffff880000090200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc
[    4.516509]                          ^
[    4.516511]  ffff880000090280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc
[    4.516514]  ffff880000090300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc


[...]

> 
> Signed-off-by: Kefeng Wang <wangkefeng.w...@huawei.com>
> ---
>  drivers/scsi/sr.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
> index 0b29b93..5a80aa6 100644
> --- a/drivers/scsi/sr.c
> +++ b/drivers/scsi/sr.c
> @@ -852,7 +852,7 @@ static void get_capabilities(struct scsi_cd *cd)
>  
>  
>       /* allocate transfer buffer */
> -     buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
> +     buffer = kmalloc(1024, GFP_KERNEL | GFP_DMA);
>       if (!buffer) {
>               sr_printk(KERN_ERR, cd, "out of memory.\n");
>               return;
> 


Reply via email to