From: Dmitry Bogdanov <d.bogdanov@yadro.com>
To: <carlos.bilbao@kernel.org>
Cc: <bilbao@vt.edu>, <martin.petersen@oracle.com>, <kees@kernel.org>,
<linux-kernel@vger.kernel.org>, <linux-scsi@vger.kernel.org>
Subject: Re: [PATCH v2] scsi: target: iscsi: reject invalid size Extended CDB AHS
Date: Thu, 9 Apr 2026 12:31:59 +0300 [thread overview]
Message-ID: <20260409093159.GA902@yadro.com> (raw)
In-Reply-To: <20260409024253.34926-1-carlos.bilbao@kernel.org>
On Wed, Apr 08, 2026 at 07:42:53PM -0700, carlos.bilbao@kernel.org wrote:
>
> From: Carlos Bilbao <carlos.bilbao@kernel.org>
>
> If ecdb_ahdr->ahslength is zero, two bugs follow:
>
> kmalloc(be16_to_cpu(ecdb_ahdr->ahslength) + 15, ...)
>
> allocates 15 bytes, but the immediately following memcpy writes
> ISCSI_CDB_SIZE (16) bytes into it, a one-byte heap overflow. Also:
>
> memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb,
> be16_to_cpu(ecdb_ahdr->ahslength) - 1);
>
> (u16)0 - 1 promotes to (int)-1 which converts to SIZE_MAX as size_t,
> causing a massive out-of-bounds write.
>
> Reject ahslength == 0 with ISCSI_REASON_PROTOCOL_ERROR before the kmalloc.
> Also reject ahslength values that exceed the actual AHS buffer advertised.
>
> Changes in v2:
>
> - Add bounds check: ahslength must not exceed (hdr->hlength * 4) - 3.
> - Replace opaque ahslength + 15 with explicit cdb_length variable.
>
> Fixes: 8f1f7d297bce ("scsi: target: iscsi: Add support for extended CDB AHS")
> Signed-off-by: Carlos Bilbao (Lambda) <carlos.bilbao@kernel.org>
Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
> ---
> drivers/target/iscsi/iscsi_target.c | 23 +++++++++++++++++++----
> 1 file changed, 19 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
> index e80449f6ce15..1a492965ebdf 100644
> --- a/drivers/target/iscsi/iscsi_target.c
> +++ b/drivers/target/iscsi/iscsi_target.c
> @@ -1100,6 +1100,8 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn, struct iscsit_cmd *cmd,
> cdb = hdr->cdb;
>
> if (hdr->hlength) {
> + u16 ahslength;
> +
> ecdb_ahdr = (struct iscsi_ecdb_ahdr *) (hdr + 1);
> if (ecdb_ahdr->ahstype != ISCSI_AHSTYPE_CDB) {
> pr_err("Additional Header Segment type %d not supported!\n",
> @@ -1108,14 +1110,27 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn, struct iscsit_cmd *cmd,
> ISCSI_REASON_CMD_NOT_SUPPORTED, buf);
> }
>
> - cdb = kmalloc(be16_to_cpu(ecdb_ahdr->ahslength) + 15,
> - GFP_KERNEL);
> + ahslength = be16_to_cpu(ecdb_ahdr->ahslength);
> + if (!ahslength) {
> + pr_err("Extended CDB AHS with zero length, protocol error.\n");
> + return iscsit_add_reject_cmd(cmd,
> + ISCSI_REASON_PROTOCOL_ERROR, buf);
> + }
> + if (ahslength > (hdr->hlength * 4) - 3) {
> + pr_err("Extended CDB AHS length %u exceeds available buffer.\n",
> + ahslength);
> + return iscsit_add_reject_cmd(cmd,
> + ISCSI_REASON_PROTOCOL_ERROR, buf);
> + }
> +
> + u16 cdb_length = ahslength - 1 + ISCSI_CDB_SIZE;
AFAIK, a variable declarationis allowed to be in the beginning of code block only.
> +
> + cdb = kmalloc(cdb_length, GFP_KERNEL);
> if (cdb == NULL)
> return iscsit_add_reject_cmd(cmd,
> ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);
> memcpy(cdb, hdr->cdb, ISCSI_CDB_SIZE);
> - memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb,
> - be16_to_cpu(ecdb_ahdr->ahslength) - 1);
> + memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb, cdb_length - ISCSI_CDB_SIZE);
> }
>
> data_direction = (hdr->flags & ISCSI_FLAG_CMD_WRITE) ? DMA_TO_DEVICE :
> --
> 2.43.0
>
next prev parent reply other threads:[~2026-04-09 9:32 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-04 1:44 [PATCH] scsi: target: iscsi: reject zero-length Extended CDB AHS carlos.bilbao
2026-04-07 9:23 ` Dmitry Bogdanov
2026-04-09 2:23 ` Carlos Bilbao
2026-04-09 2:42 ` [PATCH v2] scsi: target: iscsi: reject invalid size " carlos.bilbao
2026-04-09 9:31 ` Dmitry Bogdanov [this message]
2026-04-10 2:49 ` Carlos Bilbao
2026-04-14 2:36 ` Martin K. Petersen
2026-04-15 4:07 ` [PATCH v3] " Carlos Bilbao (Lambda)
2026-04-22 1:11 ` Martin K. Petersen
2026-04-15 4:08 ` [PATCH v2] " Carlos Bilbao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409093159.GA902@yadro.com \
--to=d.bogdanov@yadro.com \
--cc=bilbao@vt.edu \
--cc=carlos.bilbao@kernel.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.