diff options
author | Tomas Henzl <thenzl@redhat.com> | 2023-02-02 17:24:51 +0100 |
---|---|---|
committer | Martin K. Petersen <martin.petersen@oracle.com> | 2023-02-21 23:32:04 +0100 |
commit | 578797f0c8cbc2e3ec5fc0dab87087b4c7073686 (patch) | |
tree | b65fd78e99321280cd8f20f4f26e35252b11719d | |
parent | scsi: ses: Fix possible desc_ptr out-of-bounds accesses (diff) | |
download | linux-578797f0c8cbc2e3ec5fc0dab87087b4c7073686.tar.xz linux-578797f0c8cbc2e3ec5fc0dab87087b4c7073686.zip |
scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
A fix for:
BUG: KASAN: slab-out-of-bounds in ses_intf_remove+0x23f/0x270 [ses]
Read of size 8 at addr ffff88a10d32e5d8 by task rmmod/12013
When edev->components is zero, accessing edev->component[0] members is
wrong.
Link: https://lore.kernel.org/r/20230202162451.15346-5-thenzl@redhat.com
Cc: stable@vger.kernel.org
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-rw-r--r-- | drivers/scsi/ses.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c index f8031d0782f7..9d4fb09acc1e 100644 --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -856,7 +856,8 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev) kfree(ses_dev->page2); kfree(ses_dev); - kfree(edev->component[0].scratch); + if (edev->components) + kfree(edev->component[0].scratch); put_device(&edev->edev); enclosure_unregister(edev); |