scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()

commit 578797f0c8cbc2e3ec5fc0dab87087b4c7073686 upstream.

A fix for:

BUG: KASAN: slab-out-of-bounds in ses_intf_remove+0x23f/0x270 [ses]
Read of size 8 at addr ffff88a10d32e5d8 by task rmmod/12013

When edev->components is zero, accessing edev->component[0] members is
wrong.

Link: https://lore.kernel.org/r/20230202162451.15346-5-thenzl@redhat.com
Cc: stable@vger.kernel.org
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 366656157b0944ca4af74be0f4fda622d31af6c0..70ae5247c9f71b0810c65613e9baaea7022b5b1e 100644 (file)
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -872,7 +872,8 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
        kfree(ses_dev->page2);
        kfree(ses_dev);
 
-       kfree(edev->component[0].scratch);
+       if (edev->components)
+               kfree(edev->component[0].scratch);
 
        put_device(&edev->edev);
        enclosure_unregister(edev);