scsi: ips: Avoid over-read of sense buffer

In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy() avoid intentionally reading across neighboring array fields. scb->scsi_cmd->sense_buffer is 96 bytes: #define SCSI_SENSE_BUFFERSIZE 96 tapeDCDB->sense_info is 56 bytes: typedef struct { ... uint8_t sense_info[56]; } IPS_DCDB_TABLE_TAPE, ... scb->dcdb.sense_info is 64 bytes: typedef struct { ... uint8_t sense_info[64]; ... } IPS_DCDB_TABLE, ... Copying 96 bytes from either was copying beyond the end of the respective buffers, leading to potential memory content exposures. Correctly copy the actual buffer contents and zero pad the remaining bytes. Link: https://lore.kernel.org/r/20210616212408.1726812-1-keescook@chromium.org Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2024-11-11 22:51:42 +00:00 · 2021-06-16 14:24:08 -07:00 · 2021-06-16 14:24:08 -07:00 · 4ab293c280
commit 4ab293c280
parent d8b34a32a4
1 changed files with 6 additions and 4 deletions
--- a/drivers/scsi/ips.c
+++ b/drivers/scsi/ips.c
@ -3344,13 +3344,15 @@ ips_map_status(ips_ha_t * ha, ips_scb_t * scb, ips_stat_t * sp)
 					IPS_CMD_EXTENDED_DCDB_SG)) {
 					tapeDCDB =
 					    (IPS_DCDB_TABLE_TAPE *) & scb->dcdb;
-					memcpy(scb->scsi_cmd->sense_buffer,
+					memcpy_and_pad(scb->scsi_cmd->sense_buffer,
+					       SCSI_SENSE_BUFFERSIZE,
 					       tapeDCDB->sense_info,
-					       SCSI_SENSE_BUFFERSIZE);
+					       sizeof(tapeDCDB->sense_info), 0);
 				} else {
-					memcpy(scb->scsi_cmd->sense_buffer,
+					memcpy_and_pad(scb->scsi_cmd->sense_buffer,
+					       SCSI_SENSE_BUFFERSIZE,
 					       scb->dcdb.sense_info,
-					       SCSI_SENSE_BUFFERSIZE);
+					       sizeof(scb->dcdb.sense_info), 0);
 				}
 				device_error = 2;	/* check condition */
 			}