* [PATCH 0/2] iscsi patches for 3.18
@ 2014-09-29 18:55 michaelc
2014-09-29 18:55 ` [PATCH 1/2] be2iscsi: check ip buffer before copying michaelc
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: michaelc @ 2014-09-29 18:55 UTC (permalink / raw)
To: linux-scsi
A couple patches made over the scsi-queue drivers-for-3.18 branch.
They just fix a possible bug with be2iscsi that Dan reported and
also export the iscsi port being used.
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH 1/2] be2iscsi: check ip buffer before copying 2014-09-29 18:55 [PATCH 0/2] iscsi patches for 3.18 michaelc @ 2014-09-29 18:55 ` michaelc 2014-09-29 19:06 ` James Bottomley 2014-09-29 18:55 ` [PATCH 2/2] iscsi_tcp: export port being used michaelc 2014-09-30 13:46 ` [PATCH 0/2] iscsi patches for 3.18 Christoph Hellwig 2 siblings, 1 reply; 7+ messages in thread From: michaelc @ 2014-09-29 18:55 UTC (permalink / raw) To: linux-scsi From: Mike Christie <michaelc@cs.wisc.edu> Dan Carpenter found a issue where be2iscsi would copy the ip from userspace to the driver buffer before checking the len of the data being copied: http://marc.info/?l=linux-scsi&m=140982651504251&w=2 This patch just has us only copy what we the driver buffer can support. Tested-by: John Soni Jose <sony.john-n@emulex.com> Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> --- drivers/scsi/be2iscsi/be_mgmt.c | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c index 8478506..681d4e8 100644 --- a/drivers/scsi/be2iscsi/be_mgmt.c +++ b/drivers/scsi/be2iscsi/be_mgmt.c @@ -943,17 +943,20 @@ mgmt_static_ip_modify(struct beiscsi_hba *phba, if (ip_action == IP_ACTION_ADD) { memcpy(req->ip_params.ip_record.ip_addr.addr, ip_param->value, - ip_param->len); + sizeof(req->ip_params.ip_record.ip_addr.addr)); if (subnet_param) memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, - subnet_param->value, subnet_param->len); + subnet_param->value, + sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); } else { memcpy(req->ip_params.ip_record.ip_addr.addr, - if_info->ip_addr.addr, ip_param->len); + if_info->ip_addr.addr, + sizeof(req->ip_params.ip_record.ip_addr.addr)); memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, - if_info->ip_addr.subnet_mask, ip_param->len); + if_info->ip_addr.subnet_mask, + sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); } rc = mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); @@ -981,7 +984,7 @@ static int mgmt_modify_gateway(struct beiscsi_hba *phba, uint8_t *gt_addr, req->action = gtway_action; req->ip_addr.ip_type = BE2_IPV4; - memcpy(req->ip_addr.addr, gt_addr, param_len); + memcpy(req->ip_addr.addr, gt_addr, sizeof(req->ip_addr.addr)); return mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); } -- 1.7.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] be2iscsi: check ip buffer before copying 2014-09-29 18:55 ` [PATCH 1/2] be2iscsi: check ip buffer before copying michaelc @ 2014-09-29 19:06 ` James Bottomley 2014-09-29 19:08 ` Mike Christie 0 siblings, 1 reply; 7+ messages in thread From: James Bottomley @ 2014-09-29 19:06 UTC (permalink / raw) To: michaelc; +Cc: linux-scsi On Mon, 2014-09-29 at 13:55 -0500, michaelc@cs.wisc.edu wrote: > From: Mike Christie <michaelc@cs.wisc.edu> > > Dan Carpenter found a issue where be2iscsi would copy the ip > from userspace to the driver buffer before checking the len > of the data being copied: > http://marc.info/?l=linux-scsi&m=140982651504251&w=2 > > This patch just has us only copy what we the driver buffer > can support. > > Tested-by: John Soni Jose <sony.john-n@emulex.com> > Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> This looks to be a long standing and potentially exploitable bug ... does it need a cc to stable? James ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] be2iscsi: check ip buffer before copying 2014-09-29 19:06 ` James Bottomley @ 2014-09-29 19:08 ` Mike Christie 2014-09-29 19:26 ` Christoph Hellwig 0 siblings, 1 reply; 7+ messages in thread From: Mike Christie @ 2014-09-29 19:08 UTC (permalink / raw) To: James Bottomley; +Cc: linux-scsi On 09/29/2014 02:06 PM, James Bottomley wrote: > On Mon, 2014-09-29 at 13:55 -0500, michaelc@cs.wisc.edu wrote: >> From: Mike Christie <michaelc@cs.wisc.edu> >> >> Dan Carpenter found a issue where be2iscsi would copy the ip >> from userspace to the driver buffer before checking the len >> of the data being copied: >> http://marc.info/?l=linux-scsi&m=140982651504251&w=2 >> >> This patch just has us only copy what we the driver buffer >> can support. >> >> Tested-by: John Soni Jose <sony.john-n@emulex.com> >> Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> > > This looks to be a long standing and potentially exploitable bug ... > does it need a cc to stable? > Yeah, sorry. Forgot to cc. Do you need me to resend with them ccd? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] be2iscsi: check ip buffer before copying 2014-09-29 19:08 ` Mike Christie @ 2014-09-29 19:26 ` Christoph Hellwig 0 siblings, 0 replies; 7+ messages in thread From: Christoph Hellwig @ 2014-09-29 19:26 UTC (permalink / raw) To: Mike Christie; +Cc: James Bottomley, linux-scsi On Mon, Sep 29, 2014 at 02:08:13PM -0500, Mike Christie wrote: > > This looks to be a long standing and potentially exploitable bug ... > > does it need a cc to stable? > > > > Yeah, sorry. Forgot to cc. Do you need me to resend with them ccd? As mentioned offlist I can just add it, but if you know you want it in stable releases it's better to just add it from the beginning. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/2] iscsi_tcp: export port being used 2014-09-29 18:55 [PATCH 0/2] iscsi patches for 3.18 michaelc 2014-09-29 18:55 ` [PATCH 1/2] be2iscsi: check ip buffer before copying michaelc @ 2014-09-29 18:55 ` michaelc 2014-09-30 13:46 ` [PATCH 0/2] iscsi patches for 3.18 Christoph Hellwig 2 siblings, 0 replies; 7+ messages in thread From: michaelc @ 2014-09-29 18:55 UTC (permalink / raw) To: linux-scsi From: Mike Christie <michaelc@cs.wisc.edu> This just has iscsi_tcp support ISCSI_PARAM_LOCAL_PORT which exports the local port being used by the iscsi connection. Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> --- drivers/scsi/iscsi_tcp.c | 10 ++++++++-- drivers/scsi/libiscsi.c | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c index a669f2d..427af0f 100644 --- a/drivers/scsi/iscsi_tcp.c +++ b/drivers/scsi/iscsi_tcp.c @@ -726,13 +726,18 @@ static int iscsi_sw_tcp_conn_get_param(struct iscsi_cls_conn *cls_conn, switch(param) { case ISCSI_PARAM_CONN_PORT: case ISCSI_PARAM_CONN_ADDRESS: + case ISCSI_PARAM_LOCAL_PORT: spin_lock_bh(&conn->session->frwd_lock); if (!tcp_sw_conn || !tcp_sw_conn->sock) { spin_unlock_bh(&conn->session->frwd_lock); return -ENOTCONN; } - rc = kernel_getpeername(tcp_sw_conn->sock, - (struct sockaddr *)&addr, &len); + if (param == ISCSI_PARAM_LOCAL_PORT) + rc = kernel_getsockname(tcp_sw_conn->sock, + (struct sockaddr *)&addr, &len); + else + rc = kernel_getpeername(tcp_sw_conn->sock, + (struct sockaddr *)&addr, &len); spin_unlock_bh(&conn->session->frwd_lock); if (rc) return rc; @@ -895,6 +900,7 @@ static umode_t iscsi_sw_tcp_attr_is_visible(int param_type, int param) case ISCSI_PARAM_DATADGST_EN: case ISCSI_PARAM_CONN_ADDRESS: case ISCSI_PARAM_CONN_PORT: + case ISCSI_PARAM_LOCAL_PORT: case ISCSI_PARAM_EXP_STATSN: case ISCSI_PARAM_PERSISTENT_ADDRESS: case ISCSI_PARAM_PERSISTENT_PORT: diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index 191b597..0d8bc6c 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -3505,6 +3505,7 @@ int iscsi_conn_get_addr_param(struct sockaddr_storage *addr, len = sprintf(buf, "%pI6\n", &sin6->sin6_addr); break; case ISCSI_PARAM_CONN_PORT: + case ISCSI_PARAM_LOCAL_PORT: if (sin) len = sprintf(buf, "%hu\n", be16_to_cpu(sin->sin_port)); else -- 1.7.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/2] iscsi patches for 3.18 2014-09-29 18:55 [PATCH 0/2] iscsi patches for 3.18 michaelc 2014-09-29 18:55 ` [PATCH 1/2] be2iscsi: check ip buffer before copying michaelc 2014-09-29 18:55 ` [PATCH 2/2] iscsi_tcp: export port being used michaelc @ 2014-09-30 13:46 ` Christoph Hellwig 2 siblings, 0 replies; 7+ messages in thread From: Christoph Hellwig @ 2014-09-30 13:46 UTC (permalink / raw) To: michaelc; +Cc: linux-scsi On Mon, Sep 29, 2014 at 01:55:40PM -0500, michaelc@cs.wisc.edu wrote: > A couple patches made over the scsi-queue drivers-for-3.18 branch. > They just fix a possible bug with be2iscsi that Dan reported and > also export the iscsi port being used. Thanks, applied both patches to drivers-for-3.18. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-09-30 13:46 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-09-29 18:55 [PATCH 0/2] iscsi patches for 3.18 michaelc 2014-09-29 18:55 ` [PATCH 1/2] be2iscsi: check ip buffer before copying michaelc 2014-09-29 19:06 ` James Bottomley 2014-09-29 19:08 ` Mike Christie 2014-09-29 19:26 ` Christoph Hellwig 2014-09-29 18:55 ` [PATCH 2/2] iscsi_tcp: export port being used michaelc 2014-09-30 13:46 ` [PATCH 0/2] iscsi patches for 3.18 Christoph Hellwig
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.