search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
81 stars 5 forks source link

Replace 1-element array in drivers/scsi/pm8001/pm8001_sas.h #207

Closed GustavoARSilva closed 1 year ago

GustavoARSilva commented 1 year ago

drivers/scsi/pm8001/pm8001_sas.h:

603 struct fw_control_info {
604         u32                     retcode;/*ret code (status)*/
605         u32                     phase;/*ret code phase*/
606         u32                     phaseCmplt;/*percent complete for the current
607         update phase */
608         u32                     version;/*Hex encoded firmware version number*/
609         u32                     offset;/*Used for downloading firmware  */
610         u32                     len; /*len of buffer*/
611         u32                     size;/* Used in OS VPD and Trace get size
612         operations.*/
613         u32                     reserved;/* padding required for 64 bit
614         alignment */
615         u8                      buffer[1];/* Start of buffer */
616 };

Audit (at least) all these places where the flex array is being used:

diff -u -p drivers/scsi/pm8001/pm8001_ctl.c /tmp/nothing/pm8001/pm8001_ctl.c
--- drivers/scsi/pm8001/pm8001_ctl.c
+++ /tmp/nothing/pm8001/pm8001_ctl.c
@@ -768,10 +768,8 @@ static int pm8001_update_flash(struct pm

                        if (loopcount - loopNumber == 1 && fc_len) {
                                fwControl->len = fc_len;
-                               memcpy((u8 *)fwControl->buffer, read_buf, fc_len);
                                sizeRead += fc_len;
                        } else {
-                               memcpy((u8 *)fwControl->buffer, read_buf, IOCTL_BUF_SIZE);
                                sizeRead += IOCTL_BUF_SIZE;
                        }

diff -u -p drivers/scsi/pm8001/pm8001_hwi.c /tmp/nothing/pm8001/pm8001_hwi.c
--- drivers/scsi/pm8001/pm8001_hwi.c
+++ /tmp/nothing/pm8001/pm8001_hwi.c
@@ -4774,7 +4774,6 @@ pm8001_chip_fw_flash_update_req(struct p
        pm8001_dbg(pm8001_ha, DEVIO,
                   "dma fw_control context input length :%x\n",
                   fw_control->len);
-       memcpy(buffer, fw_control->buffer, fw_control->len);
        flash_update_info.sgl.addr = cpu_to_le64(phys_addr);
        flash_update_info.sgl.im_len.len = cpu_to_le32(fw_control->len);
        flash_update_info.sgl.im_len.e = 0;
GustavoARSilva commented 1 year ago

I just sent a patch for this: https://lore.kernel.org/linux-hardening/Yyy31OuBza1FJCXP@work/