[Bug 284587] integer wrap and invalid read in scsi_sa saloadtimeouts()
Date: Wed, 05 Feb 2025 10:28:12 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284587
Bug ID: 284587
Summary: integer wrap and invalid read in scsi_sa
saloadtimeouts()
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
In saloadtimeouts() in scsi_sa.c:
avail_len = scsi_4btoul(hdr->length) + sizeof(hdr->length);
...;
used_len = sizeof(hdr->length);
avail_len = MIN(avail_len, valid_len - sizeof(*hdr));
...;
while ((avail_len - used_len) > sizeof(*desc)) {
...;
cur_ptr = &buf[used_len];
...;
used_len += sizeof(*desc);
The SCSI device can cause hdr->length to be -4, since it's a field in
the response to a REPORT SUPPORTED OPERATION CODES. Then avail_len is
zero, so avail_len - used_len is huge (since unsigned) and the while
loop runs for many iterations when it shouldn't. Depending on the
details, used_len can advance so that it's beyond the end of buf[].
And a little later:
td = (struct scsi_report_supported_opcodes_timeout *)cur_ptr;
td_len = scsi_2btoul(td->length);
td_len += sizeof(td->length);
used_len += td_len;
td->length is supplied by the SCSI device, and if it's large, it can
cause used_len to be big enough that the while-loop's "avail_len - used_len"
wraps, again causing the while loop to proceed when it ought to terminate.
--
You are receiving this mail because:
You are the assignee for the bug.