From: Bodo Stroesser <bostroesser@gmail.com>
To: a.miloserdov@yadro.com, target-devel@vger.kernel.org
Cc: linux-scsi@vger.kernel.org, martin.petersen@oracle.com,
r.bolshakov@yadro.com
Subject: Re: [PATCH 2/2] scsi: target: core: Prevent underflow for service actions
Date: Tue, 9 Feb 2021 18:31:40 +0100 [thread overview]
Message-ID: <c3fa3f9e-78bb-7d42-25d9-9569bd09cdca@gmail.com> (raw)
In-Reply-To: <20210209072202.41154-3-a.miloserdov@yadro.com>
On 09.02.21 08:22, Aleksandr Miloserdov wrote:
> TCM buffer length doesn't necessarily equal 8 + ADDITIONAL LENGTH which
> might be considered an underflow in case of Data-In size being greater than
> 8 + ADDITIONAL LENGTH. So truncate buffer length to prevent underflow.
>
> Signed-off-by: Aleksandr Miloserdov <a.miloserdov@yadro.com>
> Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
> ---
> drivers/target/target_core_pr.c | 15 +++++++++++----
> 1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
> index 14db5e568f22..a13140e95b47 100644
> --- a/drivers/target/target_core_pr.c
> +++ b/drivers/target/target_core_pr.c
> @@ -3739,6 +3739,7 @@ core_scsi3_pri_read_keys(struct se_cmd *cmd)
> spin_unlock(&dev->t10_pr.registration_lock);
>
> put_unaligned_be32(add_len, &buf[4]);
> + target_set_cmd_data_length(cmd, 8 + add_len);
>
> transport_kunmap_data_sg(cmd);
>
> @@ -3757,7 +3758,7 @@ core_scsi3_pri_read_reservation(struct se_cmd *cmd)
> struct t10_pr_registration *pr_reg;
> unsigned char *buf;
> u64 pr_res_key;
> - u32 add_len = 16; /* Hardcoded to 16 when a reservation is held. */
> + u32 add_len = 0;
>
> if (cmd->data_length < 8) {
> pr_err("PRIN SA READ_RESERVATIONS SCSI Data Length: %u"
> @@ -3775,8 +3776,9 @@ core_scsi3_pri_read_reservation(struct se_cmd *cmd)
> pr_reg = dev->dev_pr_res_holder;
> if (pr_reg) {
> /*
> - * Set the hardcoded Additional Length
> + * Set the Additional Length to 16 when a reservation is held
> */
> + add_len = 16;
> put_unaligned_be32(add_len, &buf[4]);
>
> if (cmd->data_length < 22)
> @@ -3812,6 +3814,8 @@ core_scsi3_pri_read_reservation(struct se_cmd *cmd)
> (pr_reg->pr_res_type & 0x0f);
> }
>
> + target_set_cmd_data_length(cmd, 8 + add_len);
> +
> err:
> spin_unlock(&dev->dev_reservation_lock);
> transport_kunmap_data_sg(cmd);
> @@ -3830,7 +3834,7 @@ core_scsi3_pri_report_capabilities(struct se_cmd *cmd)
> struct se_device *dev = cmd->se_dev;
> struct t10_reservation *pr_tmpl = &dev->t10_pr;
> unsigned char *buf;
> - u16 add_len = 8; /* Hardcoded to 8. */
> + u16 len = 8; /* Hardcoded to 8. */
>
> if (cmd->data_length < 6) {
> pr_err("PRIN SA REPORT_CAPABILITIES SCSI Data Length:"
> @@ -3842,7 +3846,7 @@ core_scsi3_pri_report_capabilities(struct se_cmd *cmd)
> if (!buf)
> return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
>
> - put_unaligned_be16(add_len, &buf[0]);
> + put_unaligned_be16(len, &buf[0]);
> buf[2] |= 0x10; /* CRH: Compatible Reservation Hanlding bit. */
> buf[2] |= 0x08; /* SIP_C: Specify Initiator Ports Capable bit */
> buf[2] |= 0x04; /* ATP_C: All Target Ports Capable bit */
> @@ -3871,6 +3875,8 @@ core_scsi3_pri_report_capabilities(struct se_cmd *cmd)
> buf[4] |= 0x02; /* PR_TYPE_WRITE_EXCLUSIVE */
> buf[5] |= 0x01; /* PR_TYPE_EXCLUSIVE_ACCESS_ALLREG */
>
> + target_set_cmd_data_length(cmd, len);
> +
> transport_kunmap_data_sg(cmd);
>
> return 0;
> @@ -4031,6 +4037,7 @@ core_scsi3_pri_read_full_status(struct se_cmd *cmd)
> * Set ADDITIONAL_LENGTH
> */
> put_unaligned_be32(add_len, &buf[4]);
> + target_set_cmd_data_length(cmd, 8 + add_len);
>
> transport_kunmap_data_sg(cmd);
>
>
Looks ok to me.
Reviewed-by: Bodo Stroesser <bostroesser@gmail.com>
next prev parent reply other threads:[~2021-02-09 17:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-09 7:22 [PATCH 0/2] Fix target not properly truncating command data length Aleksandr Miloserdov
2021-02-09 7:22 ` [PATCH 1/2] scsi: target: core: Add cmd length set before cmd complete Aleksandr Miloserdov
2021-02-09 17:30 ` Bodo Stroesser
2021-02-09 7:22 ` [PATCH 2/2] scsi: target: core: Prevent underflow for service actions Aleksandr Miloserdov
2021-02-09 17:31 ` Bodo Stroesser [this message]
2021-02-23 3:22 ` [PATCH 0/2] Fix target not properly truncating command data length Martin K. Petersen
2021-02-26 2:22 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c3fa3f9e-78bb-7d42-25d9-9569bd09cdca@gmail.com \
--to=bostroesser@gmail.com \
--cc=a.miloserdov@yadro.com \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=r.bolshakov@yadro.com \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.