From: sashiko-bot@kernel.org
To: "Ibrahim Hashimov" <security@auditcode.ai>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v3] scsi: scsi_debug: fix REPORT ZONES alloc_len underflow OOB write
Date: Fri, 10 Jul 2026 06:05:42 +0000 [thread overview]
Message-ID: <20260710060543.621591F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260710055755.53830-1-security@auditcode.ai>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Integer truncation on 32-bit platforms leads to ZERO_SIZE_PTR out-of-bounds write and kernel panic
--
--- Patch [1]: [PATCH v3] scsi: scsi_debug: fix REPORT ZONES alloc_len underflow OOB write ---
commit 1e0d50f19491d296aa99221a898bda21deff84db
Author: Ibrahim Hashimov <security@auditcode.ai>
scsi: scsi_debug: fix REPORT ZONES alloc_len underflow OOB write
This commit fixes an out-of-bounds write in resp_report_zones() by sizing
the buffer to a whole number of 64-byte blocks that cover the requested
allocation length. It aligns the length and computes the buffer size in
64-bit to avoid a u32 wrap.
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -5911,9 +5912,11 @@ static int resp_report_zones(struct scsi_cmnd *scp,
> return check_condition_result;
> }
>
> - rep_max_zones = (alloc_len - 64) >> ilog2(RZONES_DESC_HD);
> + rep_max_zones = (ALIGN((u64)alloc_len, RZONES_DESC_HD) - RZONES_DESC_HD) >>
> + ilog2(RZONES_DESC_HD);
> + arr_len = (u64)RZONES_DESC_HD * (rep_max_zones + 1);
>
> - arr = kzalloc(alloc_len, GFP_ATOMIC | __GFP_NOWARN);
> + arr = kzalloc(arr_len, GFP_ATOMIC | __GFP_NOWARN);
[Severity: High]
Does this code cause a truncation and kernel panic on 32-bit systems?
If a user with raw IO access sends a REPORT ZONES SCSI command with an
alloc_len between 0xFFFFFFC1 and 0xFFFFFFFF, ALIGN() rounds it up to exactly
0x100000000 (4 GB) making arr_len exactly 0x100000000.
On 32-bit platforms, kzalloc() takes a 32-bit size_t, which silently
truncates 0x100000000 to 0. Calling kzalloc(0) returns ZERO_SIZE_PTR, which
bypasses the (!arr) NULL check.
> if (!arr) {
> mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
> INSUFF_RES_ASCQ);
> return check_condition_result;
> }
>
> sdeb_meta_read_lock(sip);
>
> desc = arr + 64;
Since arr is ZERO_SIZE_PTR (typically 0x10), desc becomes an unmapped
address (0x50).
[ ... ]
> if (nrz < rep_max_zones) {
> /* Fill zone descriptor */
> desc[0] = zsp->z_type;
> desc[1] = zsp->z_cond << 4;
The driver unconditionally dereferences the unmapped memory here, which
will trigger a deterministic kernel panic.
Could we add a bounds check for alloc_len to ensure it doesn't exceed 32-bit
bounds or a reasonable maximum allocation size before passing it to kzalloc()?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260710055755.53830-1-security@auditcode.ai?part=1
next prev parent reply other threads:[~2026-07-10 6:05 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-09 15:06 [PATCH] scsi: scsi_debug: fix REPORT ZONES alloc_len underflow OOB write Ibrahim Hashimov
2026-07-09 15:18 ` sashiko-bot
2026-07-09 19:48 ` [PATCH v2] " Ibrahim Hashimov
2026-07-10 0:58 ` Damien Le Moal
2026-07-10 5:57 ` [PATCH v3] " Ibrahim Hashimov
2026-07-10 6:03 ` Damien Le Moal
2026-07-10 6:05 ` sashiko-bot [this message]
2026-07-10 14:37 ` Bart Van Assche
2026-07-12 18:36 ` Ibrahim Hashimov
2026-07-12 18:37 ` [PATCH v4] " Ibrahim Hashimov
2026-07-13 5:43 ` Damien Le Moal
2026-07-13 17:12 ` Bart Van Assche
2026-07-10 5:59 ` [PATCH v2] " Ibrahim Hashimov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260710060543.621591F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=security@auditcode.ai \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.