[PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()
@ 2025-02-28  9:37 Dan Carpenter
  2025-03-04  2:29 ` Martin K. Petersen
  2025-03-11  1:19 ` Martin K. Petersen
  0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2025-02-28  9:37 UTC (permalink / raw)
  To: Shivasharan S
  Cc: Sathya Prakash, Sreekanth Reddy, Suganath Prabu Subramani,
	James E.J. Bottomley, Martin K. Petersen, MPT-FusionLinux.pdl,
	linux-scsi, linux-kernel, kernel-janitors

The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32,
not the number of bytes.  We dump that many u32 values to dmesg.  Passing
the number of bytes will lead to a read overflow.  Divide by 4 to get the
correct value.

Fixes: c72be4b5bb7c ("scsi: mpt3sas: Add support for MCTP Passthrough commands")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index ff8fedf5f20e..063b10dd8251 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -3017,7 +3017,7 @@ int mpt3sas_send_mctp_passthru_req(struct mpt3_passthru_command *command)
 	if (!(ioc->ctl_cmds.status & MPT3_CMD_COMPLETE)) {
 		mpt3sas_check_cmd_timeout(ioc,
 		    ioc->ctl_cmds.status, mpi_request,
-		    sizeof(Mpi26MctpPassthroughRequest_t), issue_reset);
+		    sizeof(Mpi26MctpPassthroughRequest_t) / 4, issue_reset);
 		goto issue_host_reset;
 	}
 
-- 
2.47.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()
  2025-02-28  9:37 [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req() Dan Carpenter
@ 2025-03-04  2:29 ` Martin K. Petersen
  2025-03-11  1:19 ` Martin K. Petersen
  1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2025-03-04  2:29 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Shivasharan S, Sathya Prakash, Sreekanth Reddy,
	Suganath Prabu Subramani, James E.J. Bottomley,
	Martin K. Petersen, MPT-FusionLinux.pdl, linux-scsi, linux-kernel,
	kernel-janitors


Dan,

> The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32,
> not the number of bytes.  We dump that many u32 values to dmesg.  Passing
> the number of bytes will lead to a read overflow.  Divide by 4 to get the
> correct value.

Applied to 6.15/scsi-staging, thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()
  2025-02-28  9:37 [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req() Dan Carpenter
  2025-03-04  2:29 ` Martin K. Petersen
@ 2025-03-11  1:19 ` Martin K. Petersen
  1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2025-03-11  1:19 UTC (permalink / raw)
  To: Shivasharan S, Dan Carpenter
  Cc: Martin K . Petersen, Sathya Prakash, Sreekanth Reddy,
	Suganath Prabu Subramani, James E.J. Bottomley,
	MPT-FusionLinux.pdl, linux-scsi, linux-kernel, kernel-janitors

On Fri, 28 Feb 2025 12:37:28 +0300, Dan Carpenter wrote:

> The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32,
> not the number of bytes.  We dump that many u32 values to dmesg.  Passing
> the number of bytes will lead to a read overflow.  Divide by 4 to get the
> correct value.
> 
> 

Applied to 6.15/scsi-queue, thanks!

[1/1] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()
      https://git.kernel.org/mkp/scsi/c/0711f1966a52

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-03-11  1:19 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-28  9:37 [PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req() Dan Carpenter
2025-03-04  2:29 ` Martin K. Petersen
2025-03-11  1:19 ` Martin K. Petersen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox