* [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()
@ 2025-02-28 9:37 Dan Carpenter
2025-03-04 2:29 ` Martin K. Petersen
2025-03-11 1:19 ` Martin K. Petersen
0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2025-02-28 9:37 UTC (permalink / raw)
To: Shivasharan S
Cc: Sathya Prakash, Sreekanth Reddy, Suganath Prabu Subramani,
James E.J. Bottomley, Martin K. Petersen, MPT-FusionLinux.pdl,
linux-scsi, linux-kernel, kernel-janitors
The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32,
not the number of bytes. We dump that many u32 values to dmesg. Passing
the number of bytes will lead to a read overflow. Divide by 4 to get the
correct value.
Fixes: c72be4b5bb7c ("scsi: mpt3sas: Add support for MCTP Passthrough commands")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index ff8fedf5f20e..063b10dd8251 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -3017,7 +3017,7 @@ int mpt3sas_send_mctp_passthru_req(struct mpt3_passthru_command *command)
if (!(ioc->ctl_cmds.status & MPT3_CMD_COMPLETE)) {
mpt3sas_check_cmd_timeout(ioc,
ioc->ctl_cmds.status, mpi_request,
- sizeof(Mpi26MctpPassthroughRequest_t), issue_reset);
+ sizeof(Mpi26MctpPassthroughRequest_t) / 4, issue_reset);
goto issue_host_reset;
}
--
2.47.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()
2025-02-28 9:37 [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req() Dan Carpenter
@ 2025-03-04 2:29 ` Martin K. Petersen
2025-03-11 1:19 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2025-03-04 2:29 UTC (permalink / raw)
To: Dan Carpenter
Cc: Shivasharan S, Sathya Prakash, Sreekanth Reddy,
Suganath Prabu Subramani, James E.J. Bottomley,
Martin K. Petersen, MPT-FusionLinux.pdl, linux-scsi, linux-kernel,
kernel-janitors
Dan,
> The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32,
> not the number of bytes. We dump that many u32 values to dmesg. Passing
> the number of bytes will lead to a read overflow. Divide by 4 to get the
> correct value.
Applied to 6.15/scsi-staging, thanks!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()
2025-02-28 9:37 [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req() Dan Carpenter
2025-03-04 2:29 ` Martin K. Petersen
@ 2025-03-11 1:19 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2025-03-11 1:19 UTC (permalink / raw)
To: Shivasharan S, Dan Carpenter
Cc: Martin K . Petersen, Sathya Prakash, Sreekanth Reddy,
Suganath Prabu Subramani, James E.J. Bottomley,
MPT-FusionLinux.pdl, linux-scsi, linux-kernel, kernel-janitors
On Fri, 28 Feb 2025 12:37:28 +0300, Dan Carpenter wrote:
> The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32,
> not the number of bytes. We dump that many u32 values to dmesg. Passing
> the number of bytes will lead to a read overflow. Divide by 4 to get the
> correct value.
>
>
Applied to 6.15/scsi-queue, thanks!
[1/1] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()
https://git.kernel.org/mkp/scsi/c/0711f1966a52
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-03-11 1:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-28 9:37 [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req() Dan Carpenter
2025-03-04 2:29 ` Martin K. Petersen
2025-03-11 1:19 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox