From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Aleksandr Miloserdov <a.miloserdov@yadro.com>,
Roman Bolshakov <r.bolshakov@yadro.com>,
Bodo Stroesser <bostroesser@gmail.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 21/21] scsi: target: core: Prevent underflow for service actions
Date: Tue, 2 Mar 2021 06:58:35 -0500 [thread overview]
Message-ID: <20210302115835.63269-21-sashal@kernel.org> (raw)
In-Reply-To: <20210302115835.63269-1-sashal@kernel.org>
From: Aleksandr Miloserdov <a.miloserdov@yadro.com>
[ Upstream commit 14d24e2cc77411301e906a8cf41884739de192de ]
TCM buffer length doesn't necessarily equal 8 + ADDITIONAL LENGTH which
might be considered an underflow in case of Data-In size being greater than
8 + ADDITIONAL LENGTH. So truncate buffer length to prevent underflow.
Link: https://lore.kernel.org/r/20210209072202.41154-3-a.miloserdov@yadro.com
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Bodo Stroesser <bostroesser@gmail.com>
Signed-off-by: Aleksandr Miloserdov <a.miloserdov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_pr.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
index 10db5656fd5d..949879f2f1d1 100644
--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -3742,6 +3742,7 @@ core_scsi3_pri_read_keys(struct se_cmd *cmd)
spin_unlock(&dev->t10_pr.registration_lock);
put_unaligned_be32(add_len, &buf[4]);
+ target_set_cmd_data_length(cmd, 8 + add_len);
transport_kunmap_data_sg(cmd);
@@ -3760,7 +3761,7 @@ core_scsi3_pri_read_reservation(struct se_cmd *cmd)
struct t10_pr_registration *pr_reg;
unsigned char *buf;
u64 pr_res_key;
- u32 add_len = 16; /* Hardcoded to 16 when a reservation is held. */
+ u32 add_len = 0;
if (cmd->data_length < 8) {
pr_err("PRIN SA READ_RESERVATIONS SCSI Data Length: %u"
@@ -3778,8 +3779,9 @@ core_scsi3_pri_read_reservation(struct se_cmd *cmd)
pr_reg = dev->dev_pr_res_holder;
if (pr_reg) {
/*
- * Set the hardcoded Additional Length
+ * Set the Additional Length to 16 when a reservation is held
*/
+ add_len = 16;
put_unaligned_be32(add_len, &buf[4]);
if (cmd->data_length < 22)
@@ -3815,6 +3817,8 @@ core_scsi3_pri_read_reservation(struct se_cmd *cmd)
(pr_reg->pr_res_type & 0x0f);
}
+ target_set_cmd_data_length(cmd, 8 + add_len);
+
err:
spin_unlock(&dev->dev_reservation_lock);
transport_kunmap_data_sg(cmd);
@@ -3833,7 +3837,7 @@ core_scsi3_pri_report_capabilities(struct se_cmd *cmd)
struct se_device *dev = cmd->se_dev;
struct t10_reservation *pr_tmpl = &dev->t10_pr;
unsigned char *buf;
- u16 add_len = 8; /* Hardcoded to 8. */
+ u16 len = 8; /* Hardcoded to 8. */
if (cmd->data_length < 6) {
pr_err("PRIN SA REPORT_CAPABILITIES SCSI Data Length:"
@@ -3845,7 +3849,7 @@ core_scsi3_pri_report_capabilities(struct se_cmd *cmd)
if (!buf)
return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
- put_unaligned_be16(add_len, &buf[0]);
+ put_unaligned_be16(len, &buf[0]);
buf[2] |= 0x10; /* CRH: Compatible Reservation Hanlding bit. */
buf[2] |= 0x08; /* SIP_C: Specify Initiator Ports Capable bit */
buf[2] |= 0x04; /* ATP_C: All Target Ports Capable bit */
@@ -3874,6 +3878,8 @@ core_scsi3_pri_report_capabilities(struct se_cmd *cmd)
buf[4] |= 0x02; /* PR_TYPE_WRITE_EXCLUSIVE */
buf[5] |= 0x01; /* PR_TYPE_EXCLUSIVE_ACCESS_ALLREG */
+ target_set_cmd_data_length(cmd, len);
+
transport_kunmap_data_sg(cmd);
return 0;
@@ -4034,6 +4040,7 @@ core_scsi3_pri_read_full_status(struct se_cmd *cmd)
* Set ADDITIONAL_LENGTH
*/
put_unaligned_be32(add_len, &buf[4]);
+ target_set_cmd_data_length(cmd, 8 + add_len);
transport_kunmap_data_sg(cmd);
--
2.30.1
prev parent reply other threads:[~2021-03-02 19:51 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-02 11:58 [PATCH AUTOSEL 4.19 01/21] i2c: rcar: optimize cacheline to minimize HW race condition Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 02/21] udf: fix silent AED tagLocation corruption Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 03/21] mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()' Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 04/21] mmc: sdhci-of-dwcmshc: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 05/21] mmc: mediatek: fix race condition between msdc_request_timeout and irq Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 06/21] powerpc/pci: Add ppc_md.discover_phbs() Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 07/21] powerpc: improve handling of unrecoverable system reset Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 08/21] powerpc/perf: Record counter overflow always if SAMPLE_IP is unset Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 09/21] sparc32: Limit memblock allocation to low memory Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 10/21] sparc64: Use arch_validate_flags() to validate ADI flag Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 11/21] x86, build: use objtool mcount Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 12/21] PCI: xgene-msi: Fix race in installing chained irq handler Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 13/21] misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 14/21] PCI: mediatek: Add missing of_node_put() to fix reference leak Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 15/21] drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 16/21] PCI: Fix pci_register_io_range() memory leak Sasha Levin
2021-03-02 11:58 ` [Intel-wired-lan] [PATCH AUTOSEL 4.19 17/21] i40e: Fix memory leak in i40e_probe Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 18/21] s390/smp: __smp_rescan_cpus() - move cpumask away from stack Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 19/21] scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling Sasha Levin
2021-03-02 11:58 ` [PATCH AUTOSEL 4.19 20/21] scsi: target: core: Add cmd length set before cmd complete Sasha Levin
2021-03-02 11:58 ` Sasha Levin
2021-03-02 11:58 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210302115835.63269-21-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=a.miloserdov@yadro.com \
--cc=bostroesser@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=r.bolshakov@yadro.com \
--cc=stable@vger.kernel.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.