From: Tomas Henzl <thenzl@redhat.com>
Date: Thu, 2 Feb 2023 16:24:50 +0000 (+0100)
Subject: scsi: ses: Fix possible desc_ptr out-of-bounds accesses
X-Git-Tag: v6.6.7~3346^2~29
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=801ab13d50cf3d26170ee073ea8bb4eececb76ab;p=platform%2Fkernel%2Flinux-starfive.git

scsi: ses: Fix possible desc_ptr out-of-bounds accesses

Sanitize possible desc_ptr out-of-bounds accesses in
ses_enclosure_data_process().

Link: https://lore.kernel.org/r/20230202162451.15346-4-thenzl@redhat.com
Cc: stable@vger.kernel.org
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---

diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 458ca7a..f8031d0 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -578,15 +578,19 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
 			int max_desc_len;
 
 			if (desc_ptr) {
-				if (desc_ptr >= buf + page7_len) {
+				if (desc_ptr + 3 >= buf + page7_len) {
 					desc_ptr = NULL;
 				} else {
 					len = (desc_ptr[2] << 8) + desc_ptr[3];
 					desc_ptr += 4;
-					/* Add trailing zero - pushes into
-					 * reserved space */
-					desc_ptr[len] = '\0';
-					name = desc_ptr;
+					if (desc_ptr + len > buf + page7_len)
+						desc_ptr = NULL;
+					else {
+						/* Add trailing zero - pushes into
+						 * reserved space */
+						desc_ptr[len] = '\0';
+						name = desc_ptr;
+					}
 				}
 			}
 			if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||