* [PATCH] scsi: libiscsi_tcp: bound SCSI Response data segment to the connection buffer
@ 2026-07-10 5:06 HyeongJun An
2026-07-10 5:17 ` sashiko-bot
0 siblings, 1 reply; 2+ messages in thread
From: HyeongJun An @ 2026-07-10 5:06 UTC (permalink / raw)
To: Mike Christie, Lee Duncan, Chris Leech, Martin K . Petersen
Cc: James E . J . Bottomley, open-iscsi, linux-scsi, linux-kernel,
HyeongJun An
iscsi_tcp_hdr_dissect() receives the data segment of several PDU types
into the fixed-size conn->data buffer, which is allocated for
ISCSI_DEF_MAX_RECV_SEG_LEN (8192) bytes. For the LOGIN_RSP, TEXT_RSP,
REJECT and ASYNC_EVENT opcodes the dissect path already rejects a PDU
whose DataSegmentLength exceeds that buffer.
The SCSI Command Response (ISCSI_OP_SCSI_CMD_RSP) path also copies its
data segment (sense/response data) into conn->data via
iscsi_tcp_data_recv_prep(), but it does so without the same check. The
only upstream bound on in.datalen is conn->max_recv_dlength, the
initiator's advertised MaxRecvDataSegmentLength, which is commonly
negotiated well above 8192 (open-iscsi defaults to 262144). A target
that returns a SCSI Response with a DataSegmentLength between 8193 and
max_recv_dlength therefore overflows the 8192-byte conn->data buffer.
Apply the same bound used by the sibling opcodes before handing the
data segment to conn->data.
Fixes: a081c13e39b5 ("[SCSI] iscsi_tcp: split module into lib and lld")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
---
drivers/scsi/libiscsi_tcp.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/scsi/libiscsi_tcp.c b/drivers/scsi/libiscsi_tcp.c
index e90805ba868f..790d11ec00bc 100644
--- a/drivers/scsi/libiscsi_tcp.c
+++ b/drivers/scsi/libiscsi_tcp.c
@@ -753,6 +753,18 @@ iscsi_tcp_hdr_dissect(struct iscsi_conn *conn, struct iscsi_hdr *hdr)
spin_unlock(&conn->session->back_lock);
break;
case ISCSI_OP_SCSI_CMD_RSP:
+ /*
+ * Sense/response data is received into conn->data, so bound
+ * it to that buffer like the responses handled below.
+ */
+ if (tcp_conn->in.datalen > ISCSI_DEF_MAX_RECV_SEG_LEN) {
+ iscsi_conn_printk(KERN_ERR, conn,
+ "iscsi_tcp: received buffer of len %u but conn buffer is only %u (opcode %0x)\n",
+ tcp_conn->in.datalen,
+ ISCSI_DEF_MAX_RECV_SEG_LEN, opcode);
+ rc = ISCSI_ERR_PROTO;
+ break;
+ }
if (tcp_conn->in.datalen) {
iscsi_tcp_data_recv_prep(tcp_conn);
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] scsi: libiscsi_tcp: bound SCSI Response data segment to the connection buffer
2026-07-10 5:06 [PATCH] scsi: libiscsi_tcp: bound SCSI Response data segment to the connection buffer HyeongJun An
@ 2026-07-10 5:17 ` sashiko-bot
0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-07-10 5:17 UTC (permalink / raw)
To: HyeongJun An; +Cc: linux-scsi
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Medium] In `iscsi_scsi_cmd_rsp()`, an incorrect bounds check allows a malicious or compromised iSCSI target to leak up to 2 bytes of uninitialized kernel memory (or previous packet data) into the SCSI sense buffer via a crafted `CHECK_CONDITION` response.
--
--- Patch [1]: [PATCH] scsi: libiscsi_tcp: bound SCSI Response data segment to the connection buffer ---
commit 997ca9836cebc0e8267dfdbdc7d5ae21d710b9fd
Author: HyeongJun An <sammiee5311@gmail.com>
scsi: libiscsi_tcp: bound SCSI Response data segment to the connection buffer
iscsi_tcp_hdr_dissect() receives the data segment of several PDU types
into the fixed-size conn->data buffer. This commit applies bounds
checking for the SCSI Command Response path before copying the data
segment to prevent overflowing the 8192-byte buffer.
> diff --git a/drivers/scsi/libiscsi_tcp.c b/drivers/scsi/libiscsi_tcp.c
> index 60cb6dc3c6f09..ef28543def9e8 100644
> --- a/drivers/scsi/libiscsi_tcp.c
> +++ b/drivers/scsi/libiscsi_tcp.c
> @@ -720,6 +720,18 @@ iscsi_tcp_hdr_dissect(struct iscsi_conn *conn, struct iscsi_hdr *hdr)
> spin_unlock(&conn->session->back_lock);
> break;
> case ISCSI_OP_SCSI_CMD_RSP:
> + /*
> + * Sense/response data is received into conn->data, so bound
> + * it to that buffer like the responses handled below.
> + */
> + if (tcp_conn->in.datalen > ISCSI_DEF_MAX_RECV_SEG_LEN) {
[Severity: Medium]
This is a pre-existing issue, but while looking at how sense data is read
from conn->data, I noticed a potential out-of-bounds read in
drivers/scsi/libiscsi.c:iscsi_scsi_cmd_rsp():
senselen = get_unaligned_be16(data);
if (datalen < senselen)
goto invalid_datalen;
memcpy(sc->sense_buffer, data + 2,
min_t(uint16_t, senselen, SCSI_SENSE_BUFFERSIZE));
Does this code read past the end of the received data? If datalen is exactly
equal to senselen, the memcpy copies from data + 2, which could read 2 bytes
past the valid data in the buffer and expose uninitialized or stale memory
into the SCSI sense buffer. Should the bounds check be datalen < senselen + 2?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260710050645.1194212-1-sammiee5311@gmail.com?part=1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-10 5:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-10 5:06 [PATCH] scsi: libiscsi_tcp: bound SCSI Response data segment to the connection buffer HyeongJun An
2026-07-10 5:17 ` sashiko-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox