Linux SCSI subsystem development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Ibrahim Hashimov" <security@auditcode.ai>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v3] scsi: scsi_debug: fix REPORT ZONES alloc_len underflow OOB write
Date: Fri, 10 Jul 2026 06:05:42 +0000	[thread overview]
Message-ID: <20260710060543.621591F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260710055755.53830-1-security@auditcode.ai>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Integer truncation on 32-bit platforms leads to ZERO_SIZE_PTR out-of-bounds write and kernel panic
--

--- Patch [1]: [PATCH v3] scsi: scsi_debug: fix REPORT ZONES alloc_len underflow OOB write ---
commit 1e0d50f19491d296aa99221a898bda21deff84db
Author: Ibrahim Hashimov <security@auditcode.ai>

scsi: scsi_debug: fix REPORT ZONES alloc_len underflow OOB write

This commit fixes an out-of-bounds write in resp_report_zones() by sizing
the buffer to a whole number of 64-byte blocks that cover the requested
allocation length. It aligns the length and computes the buffer size in
64-bit to avoid a u32 wrap.

> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -5911,9 +5912,11 @@ static int resp_report_zones(struct scsi_cmnd *scp,
>  		return check_condition_result;
>  	}
>  
> -	rep_max_zones = (alloc_len - 64) >> ilog2(RZONES_DESC_HD);
> +	rep_max_zones = (ALIGN((u64)alloc_len, RZONES_DESC_HD) - RZONES_DESC_HD) >>
> +			ilog2(RZONES_DESC_HD);
> +	arr_len = (u64)RZONES_DESC_HD * (rep_max_zones + 1);
>  
> -	arr = kzalloc(alloc_len, GFP_ATOMIC | __GFP_NOWARN);
> +	arr = kzalloc(arr_len, GFP_ATOMIC | __GFP_NOWARN);

[Severity: High]
Does this code cause a truncation and kernel panic on 32-bit systems?

If a user with raw IO access sends a REPORT ZONES SCSI command with an
alloc_len between 0xFFFFFFC1 and 0xFFFFFFFF, ALIGN() rounds it up to exactly
0x100000000 (4 GB) making arr_len exactly 0x100000000.

On 32-bit platforms, kzalloc() takes a 32-bit size_t, which silently
truncates 0x100000000 to 0. Calling kzalloc(0) returns ZERO_SIZE_PTR, which
bypasses the (!arr) NULL check.

>  	if (!arr) {
>  		mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
>  				INSUFF_RES_ASCQ);
>  		return check_condition_result;
>  	}
>  
>  	sdeb_meta_read_lock(sip);
>  
>  	desc = arr + 64;

Since arr is ZERO_SIZE_PTR (typically 0x10), desc becomes an unmapped
address (0x50).

[ ... ]

>  		if (nrz < rep_max_zones) {
>  			/* Fill zone descriptor */
>  			desc[0] = zsp->z_type;
>  			desc[1] = zsp->z_cond << 4;

The driver unconditionally dereferences the unmapped memory here, which
will trigger a deterministic kernel panic. 

Could we add a bounds check for alloc_len to ensure it doesn't exceed 32-bit
bounds or a reasonable maximum allocation size before passing it to kzalloc()?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260710055755.53830-1-security@auditcode.ai?part=1

  parent reply	other threads:[~2026-07-10  6:05 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-09 15:06 [PATCH] scsi: scsi_debug: fix REPORT ZONES alloc_len underflow OOB write Ibrahim Hashimov
2026-07-09 15:18 ` sashiko-bot
2026-07-09 19:48 ` [PATCH v2] " Ibrahim Hashimov
2026-07-10  0:58   ` Damien Le Moal
2026-07-10  5:57     ` [PATCH v3] " Ibrahim Hashimov
2026-07-10  6:03       ` Damien Le Moal
2026-07-10  6:05       ` sashiko-bot [this message]
2026-07-10 14:37         ` Bart Van Assche
2026-07-12 18:36           ` Ibrahim Hashimov
2026-07-12 18:37       ` [PATCH v4] " Ibrahim Hashimov
2026-07-13  5:43         ` Damien Le Moal
2026-07-13 17:12         ` Bart Van Assche
2026-07-10  5:59     ` [PATCH v2] " Ibrahim Hashimov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260710060543.621591F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=security@auditcode.ai \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox