Commit 40af9a6d authored Feb 02, 2023 by Tomas Henzl Committed by Greg Kroah-Hartman Mar 11, 2023

scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()

commit 578797f0c8cbc2e3ec5fc0dab87087b4c7073686 upstream.

A fix for:

BUG: KASAN: slab-out-of-bounds in ses_intf_remove+0x23f/0x270 [ses]
Read of size 8 at addr ffff88a10d32e5d8 by task rmmod/12013

When edev->components is zero, accessing edev->component[0] members is
wrong.

Link: https://lore.kernel.org/r/20230202162451.15346-5-thenzl@redhat.com


Cc: stable@vger.kernel.org
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 79ec5dd5

drivers/scsi/ses.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -856,6 +856,7 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
		kfree(ses_dev->page2);
		kfree(ses_dev);

		if (edev->components)
		kfree(edev->component[0].scratch);

		put_device(&edev->edev);