From: Andrew Vasquez Date: Fri, 28 Oct 2011 21:40:44 +0000 (-0700) Subject: qla2xxx: Correct out of bounds read of ISP2200 mailbox registers. X-Git-Tag: v2.6.39-400.9.0~423^2~94 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=5271fc0bf3b6a616364b8bee645d78a3a681ced2;p=users%2Fjedix%2Flinux-maple.git qla2xxx: Correct out of bounds read of ISP2200 mailbox registers. From Olatunji: A tool that I m building for finding memory faults in Linux drivers is reporting that the following loop, in qla2x00_mbx_completion(), reads outside the allocated io memory while reading ISP2200 mailbox registers. I would appreciate your help in confirming this bug. ... wptr = (uint16_t __iomem *)MAILBOX_REG(ha, reg, 1); for (cnt = 1; cnt < ha->mbx_count; cnt++) { if (IS_QLA2200(ha) && cnt == 8) wptr = (uint16_t __iomem *)MAILBOX_REG(ha, reg, 8); if (cnt == 4 || cnt == 5) ha->mailbox_out[cnt] = qla2x00_debounce_register(wptr); else ha->mailbox_out[cnt] = RD_REG_WORD(wptr); wptr++; } ... During isp2200 initialization (qla2x00_probe_one), ha->mbx_count is set to 32, even though isp2200 has 24 mailbox registers (mailbox0 ... mailbox23). Therefore the loop runs for cnt=[1..31], wptr walks off the allocated mailbox register region at cnt==24, and results in out-of-bounds reads. Although I observed this problem in linux2.6.17.1, I confirmed that it also exists in 2.6.37 and 3.1-rc4. Fortunately, the reads outside the 24 mailbox registers are benign. For correctness, limit the driver's read to 24. JIRA Key: V2632FC-95 --- diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h index c65cb3ddf8a1..9eae991d3124 100644 --- a/drivers/scsi/qla2xxx/qla_def.h +++ b/drivers/scsi/qla2xxx/qla_def.h @@ -44,6 +44,7 @@ * ISP2100 HBAs. */ #define MAILBOX_REGISTER_COUNT_2100 8 +#define MAILBOX_REGISTER_COUNT_2200 24 #define MAILBOX_REGISTER_COUNT 32 #define QLA2200A_RISC_ROM_VER 4 diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c index 53b9aa8db077..0827af88fc6b 100644 --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c @@ -2149,7 +2149,7 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) ha->nvram_data_off = ~0; ha->isp_ops = &qla2100_isp_ops; } else if (IS_QLA2200(ha)) { - ha->mbx_count = MAILBOX_REGISTER_COUNT; + ha->mbx_count = MAILBOX_REGISTER_COUNT_2200; req_length = REQUEST_ENTRY_CNT_2200; rsp_length = RESPONSE_ENTRY_CNT_2100; ha->max_loop_id = SNS_LAST_LOOP_ID_2100;