From: Tyllis Xu <livelycarpet87@gmail.com>
To: tyreld@linux.ibm.com, martin.petersen@oracle.com
Cc: James.Bottomley@HansenPartnership.com, maddy@linux.ibm.com,
mpe@ellerman.id.au, npiggin@gmail.com, chleroy@kernel.org,
linux-scsi@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
danisjiang@gmail.com, ychen@northwestern.edu,
Tyllis Xu <LivelyCarpet87@gmail.com>
Subject: [PATCH] scsi: ibmvfc: fix out-of-bounds write in ibmvfc_channel_setup_done
Date: Fri, 20 Mar 2026 22:37:54 -0500 [thread overview]
Message-ID: <20260321033754.899928-1-LivelyCarpet87@gmail.com> (raw)
In ibmvfc_channel_setup_done(), the firmware-supplied
num_scsi_subq_channels from the MAD response buffer is assigned directly
to active_queues without being validated against scrqs->max_queues, the
allocated size of the scrqs->scrqs[] array.
A malicious or compromised hypervisor can supply a value larger than
max_queues, causing the loop to write attacker-controlled 64-bit cookie
values beyond the end of the heap-allocated queue array and corrupting
adjacent kernel memory.
Use min_t(u32, ...) rather than min_t(int, ...) to clamp active_queues.
The firmware field is a __be32 whose decoded value is assigned to an int;
a value exceeding INT_MAX would produce a negative int that min_t(int)
would pass through unchanged, storing UINT_MAX into the unsigned int
scrqs->active_queues. Using u32 arithmetic ensures any out-of-range value
is correctly clamped to max_queues regardless of sign.
Fixes: b88a5d9b7f56 ("scsi: ibmvfc: Register Sub-CRQ handles with VIOS during channel setup")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
---
drivers/scsi/ibmvscsi/ibmvfc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
index a20fce04fe79..5694530c4b2f 100644
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -5039,6 +5039,7 @@ static void ibmvfc_channel_setup_done(struct ibmvfc_event *evt)
flags = be32_to_cpu(setup->flags);
vhost->do_enquiry = 0;
active_queues = be32_to_cpu(setup->num_scsi_subq_channels);
+ active_queues = min_t(u32, active_queues, scrqs->max_queues);
scrqs->active_queues = active_queues;
if (flags & IBMVFC_CHANNELS_CANCELED) {
--
2.43.0
reply other threads:[~2026-03-21 12:12 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260321033754.899928-1-LivelyCarpet87@gmail.com \
--to=livelycarpet87@gmail.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=chleroy@kernel.org \
--cc=danisjiang@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=martin.petersen@oracle.com \
--cc=mpe@ellerman.id.au \
--cc=npiggin@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tyreld@linux.ibm.com \
--cc=ychen@northwestern.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox