pending-5.1/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch

   1 From 1c3122db53825b4f335d77d9eefe54ed88bf9007 Mon Sep 17 00:00:00 2001
   2 From: YueHaibing <yuehaibing@huawei.com>
   3 Date: Sat, 20 Apr 2019 12:05:54 +0800
   4 Subject: scsi: qedi: remove memset/memcpy to nfunc and use func instead
   5
   6 [ Upstream commit c09581a52765a85f19fc35340127396d5e3379cc ]
   7
   8 KASAN reports this:
   9
  10 BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi]
  11 Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429
  12
  13 CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
  14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
  15 Call Trace:
  16  __dump_stack lib/dump_stack.c:77 [inline]
  17  dump_stack+0xfa/0x1ce lib/dump_stack.c:113
  18  print_address_description+0x1c4/0x270 mm/kasan/report.c:187
  19  kasan_report+0x149/0x18d mm/kasan/report.c:317
  20  memcpy+0x1f/0x50 mm/kasan/common.c:130
  21  qedi_dbg_err+0xda/0x330 [qedi]
  22  ? 0xffffffffc12d0000
  23  qedi_init+0x118/0x1000 [qedi]
  24  ? 0xffffffffc12d0000
  25  ? 0xffffffffc12d0000
  26  ? 0xffffffffc12d0000
  27  do_one_initcall+0xfa/0x5ca init/main.c:887
  28  do_init_module+0x204/0x5f6 kernel/module.c:3460
  29  load_module+0x66b2/0x8570 kernel/module.c:3808
  30  __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
  31  do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
  32  entry_SYSCALL_64_after_hwframe+0x49/0xbe
  33 RIP: 0033:0x462e99
  34 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
  35 RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
  36 RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99
  37 RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003
  38 RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000
  39 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc
  40 R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
  41
  42 The buggy address belongs to the variable:
  43  __func__.67584+0x0/0xffffffffffffd520 [qedi]
  44
  45 Memory state around the buggy address:
  46  ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa
  47  ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa
  48 > ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa
  49                                                           ^
  50  ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa
  51  ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa
  52
  53 Currently the qedi_dbg_* family of functions can overrun the end of the
  54 source string if it is less than the destination buffer length because of
  55 the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc
  56 and just use func instead as it is always a null terminated string.
  57
  58 Reported-by: Hulk Robot <hulkci@huawei.com>
  59 Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
  60 Signed-off-by: YueHaibing <yuehaibing@huawei.com>
  61 Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
  62 Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
  63 Signed-off-by: Sasha Levin <sashal@kernel.org>
  64 ---
  65  drivers/scsi/qedi/qedi_dbg.c | 32 ++++++++------------------------
  66  1 file changed, 8 insertions(+), 24 deletions(-)
  67
  68 diff --git a/drivers/scsi/qedi/qedi_dbg.c b/drivers/scsi/qedi/qedi_dbg.c
  69 index 8fd28b056f73..3383314a3882 100644
  70 --- a/drivers/scsi/qedi/qedi_dbg.c
  71 +++ b/drivers/scsi/qedi/qedi_dbg.c
  72 @@ -16,10 +16,6 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
  73  {
  74         va_list va;
  75         struct va_format vaf;
  76 -       char nfunc[32];
  77 -
  78 -       memset(nfunc, 0, sizeof(nfunc));
  79 -       memcpy(nfunc, func, sizeof(nfunc) - 1);
  80
  81         va_start(va, fmt);
  82
  83 @@ -28,9 +24,9 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
  84
  85         if (likely(qedi) && likely(qedi->pdev))
  86                 pr_err("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
  87 -                      nfunc, line, qedi->host_no, &vaf);
  88 +                      func, line, qedi->host_no, &vaf);
  89         else
  90 -               pr_err("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
  91 +               pr_err("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
  92
  93         va_end(va);
  94  }
  95 @@ -41,10 +37,6 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
  96  {
  97         va_list va;
  98         struct va_format vaf;
  99 -       char nfunc[32];
 100 -
 101 -       memset(nfunc, 0, sizeof(nfunc));
 102 -       memcpy(nfunc, func, sizeof(nfunc) - 1);
 103
 104         va_start(va, fmt);
 105
 106 @@ -56,9 +48,9 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
 107
 108         if (likely(qedi) && likely(qedi->pdev))
 109                 pr_warn("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
 110 -                       nfunc, line, qedi->host_no, &vaf);
 111 +                       func, line, qedi->host_no, &vaf);
 112         else
 113 -               pr_warn("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
 114 +               pr_warn("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
 115
 116  ret:
 117         va_end(va);
 118 @@ -70,10 +62,6 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
 119  {
 120         va_list va;
 121         struct va_format vaf;
 122 -       char nfunc[32];
 123 -
 124 -       memset(nfunc, 0, sizeof(nfunc));
 125 -       memcpy(nfunc, func, sizeof(nfunc) - 1);
 126
 127         va_start(va, fmt);
 128
 129 @@ -85,10 +73,10 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
 130
 131         if (likely(qedi) && likely(qedi->pdev))
 132                 pr_notice("[%s]:[%s:%d]:%d: %pV",
 133 -                         dev_name(&qedi->pdev->dev), nfunc, line,
 134 +                         dev_name(&qedi->pdev->dev), func, line,
 135                           qedi->host_no, &vaf);
 136         else
 137 -               pr_notice("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
 138 +               pr_notice("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
 139
 140  ret:
 141         va_end(va);
 142 @@ -100,10 +88,6 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
 143  {
 144         va_list va;
 145         struct va_format vaf;
 146 -       char nfunc[32];
 147 -
 148 -       memset(nfunc, 0, sizeof(nfunc));
 149 -       memcpy(nfunc, func, sizeof(nfunc) - 1);
 150
 151         va_start(va, fmt);
 152
 153 @@ -115,9 +99,9 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
 154
 155         if (likely(qedi) && likely(qedi->pdev))
 156                 pr_info("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
 157 -                       nfunc, line, qedi->host_no, &vaf);
 158 +                       func, line, qedi->host_no, &vaf);
 159         else
 160 -               pr_info("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
 161 +               pr_info("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
 162
 163  ret:
 164         va_end(va);
 165 --
 166 2.20.1
 167