scsi: aha1740: Avoid over-read of sense buffer

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally reading across neighboring array fields.

SCtmp->sense_buffer is 96 bytes, but ecbptr->sense is 14 bytes. Instead of
over-reading ecbptr->sense, copy only the actual contents and zero pad the
remaining bytes, avoiding potential over-reads.

Link: https://lore.kernel.org/r/20210616212437.1727088-1-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/aha1740.c b/drivers/scsi/aha1740.c
index 0dc8310..39d8759 100644 (file)
--- a/drivers/scsi/aha1740.c
+++ b/drivers/scsi/aha1740.c
@@ -267,8 +267,11 @@ static irqreturn_t aha1740_intr_handle(int irq, void *dev_id)
                           guarantee that we will still have it in the
                           cdb when we come back */
                        if ( (adapstat & G2INTST_MASK) == G2INTST_CCBERROR ) {
-                               memcpy(SCtmp->sense_buffer, ecbptr->sense, 
-                                      SCSI_SENSE_BUFFERSIZE);
+                               memcpy_and_pad(SCtmp->sense_buffer,
+                                              SCSI_SENSE_BUFFERSIZE,
+                                              ecbptr->sense,
+                                              sizeof(ecbptr->sense),
+                                              0);
                                errstatus = aha1740_makecode(ecbptr->sense,ecbptr->status);
                        } else
                                errstatus = 0;