LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Ye Bin <yebin10@huawei.com>
To: <jejb@linux.ibm.com>, <martin.petersen@oracle.com>,
<linux-scsi@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Cc: Ye Bin <yebin10@huawei.com>
Subject: [PATCH -next 2/2] scsi:scsi_debug: Fix potential OOB in resp_report_tgtpgs
Date: Wed, 18 Aug 2021 10:14:28 +0800 [thread overview]
Message-ID: <20210818021428.3720233-3-yebin10@huawei.com> (raw)
In-Reply-To: <20210818021428.3720233-1-yebin10@huawei.com>
As alloc_len's type is 'int', and value get from cmd which maybe negetive.
So it will pass huge len to fill_from_dev_buffer, lead to OOB.
Signed-off-by: Ye Bin <yebin10@huawei.com>
---
drivers/scsi/scsi_debug.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index be0440545744..ead65cdfb522 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1896,8 +1896,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
unsigned char *cmd = scp->cmnd;
unsigned char *arr;
int host_no = devip->sdbg_host->shost->host_no;
- int n, ret, alen, rlen;
int port_group_a, port_group_b, port_a, port_b;
+ u32 alen, n, rlen;
+ int ret;
alen = get_unaligned_be32(cmd + 6);
arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_ATOMIC);
@@ -1959,9 +1960,9 @@ static int resp_report_tgtpgs(struct scsi_cmnd *scp,
* - The constructed command length
* - The maximum array size
*/
- rlen = min_t(int, alen, n);
+ rlen = min(alen, n);
ret = fill_from_dev_buffer(scp, arr,
- min_t(int, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
+ min_t(u32, rlen, SDEBUG_MAX_TGTPGS_ARR_SZ));
kfree(arr);
return ret;
}
--
2.31.1
next prev parent reply other threads:[~2021-08-18 2:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-18 2:14 [PATCH -next 0/2] Fix out-of-bound in resp_readcap16 and resp_report_tgtpgs Ye Bin
2021-08-18 2:14 ` [PATCH -next 1/2] scsi:scsi_debug: Fix out-of-bound in resp_readcap16 Ye Bin
2021-08-18 2:14 ` Ye Bin [this message]
2021-08-28 0:56 ` [PATCH -next 0/2] Fix out-of-bound in resp_readcap16 and resp_report_tgtpgs yebin
2021-09-14 6:28 ` yebin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210818021428.3720233-3-yebin10@huawei.com \
--to=yebin10@huawei.com \
--cc=jejb@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--subject='Re: [PATCH -next 2/2] scsi:scsi_debug: Fix potential OOB in resp_report_tgtpgs' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).