Closed GustavoARSilva closed 1 year ago
drivers/scsi/hptiop.h:
223 struct hpt_iop_request_scsi_command { 224 struct hpt_iop_request_header header; 225 u8 channel; 226 u8 target; 227 u8 lun; 228 u8 pad1; 229 u8 cdb[16]; 230 __le32 dataxfer_length; 231 struct hpt_iopsg sg_list[1]; 232 }; 233 234 struct hpt_iop_request_ioctl_command { 235 struct hpt_iop_request_header header; 236 __le32 ioctl_code; 237 __le32 inbuf_size; 238 __le32 outbuf_size; 239 __le32 bytes_returned; 240 u8 buf[1]; 241 /* out data should be put at buf[(inbuf_size+3)&~3] */ 242 }; 243
Audit (at least) all these places where the flex arrays are being used:
diff -u -p drivers/scsi/hptiop.c /tmp/nothing/hptiop.c --- drivers/scsi/hptiop.c +++ /tmp/nothing/hptiop.c @@ -756,7 +756,6 @@ static void hptiop_finish_scsi_req(struc scsi_set_resid(scp, scsi_bufflen(scp) - le32_to_cpu(req->dataxfer_length)); scp->result = SAM_STAT_CHECK_CONDITION; - memcpy(scp->sense_buffer, &req->sg_list, SCSI_SENSE_BUFFERSIZE); goto skip_resid; default: @@ -817,7 +816,6 @@ static void hptiop_iop_request_callback_ if (arg->outbuf_size) memcpy_fromio(arg->outbuf, - &p->buf[(readl(&p->inbuf_size) + 3)& ~3], arg->outbuf_size); if (arg->bytes_returned) @@ -1033,7 +1031,6 @@ static int hptiop_queuecommand_lck(struc req = _req->req_virt; /* build S/G table */ - sg_count = hptiop_buildsgl(scp, req->sg_list); if (!sg_count) HPT_SCP(scp)->mapped = 0;
I just sent some patches for this: https://lore.kernel.org/linux-hardening/cover.1663865333.git.gustavoars@kernel.org/ https://lore.kernel.org/linux-hardening/YyyUvuId7dAZadej@work/
GustavoARSilva
commented
1 year ago GustavoARSilva
commented
1 year ago
drivers/scsi/hptiop.h:
Audit (at least) all these places where the flex arrays are being used: