Date: Wed, 05 Feb 2025 10:28:12 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 284587] integer wrap and invalid read in scsi_sa saloadtimeouts() Message-ID: <bug-284587-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D284587 Bug ID: 284587 Summary: integer wrap and invalid read in scsi_sa saloadtimeouts() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu In saloadtimeouts() in scsi_sa.c: avail_len =3D scsi_4btoul(hdr->length) + sizeof(hdr->length); ...; used_len =3D sizeof(hdr->length); avail_len =3D MIN(avail_len, valid_len - sizeof(*hdr)); ...; while ((avail_len - used_len) > sizeof(*desc)) { ...; cur_ptr =3D &buf[used_len]; ...; used_len +=3D sizeof(*desc); The SCSI device can cause hdr->length to be -4, since it's a field in the response to a REPORT SUPPORTED OPERATION CODES. Then avail_len is zero, so avail_len - used_len is huge (since unsigned) and the while loop runs for many iterations when it shouldn't. Depending on the details, used_len can advance so that it's beyond the end of buf[]. And a little later: td =3D (struct scsi_report_supported_opcodes_timeout *)cur_= ptr; td_len =3D scsi_2btoul(td->length); td_len +=3D sizeof(td->length); used_len +=3D td_len; td->length is supplied by the SCSI device, and if it's large, it can cause used_len to be big enough that the while-loop's "avail_len - used_len" wraps, again causing the while loop to proceed when it ought to terminate. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-284587-227>