From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg KH <gregkh@linuxfoundation.org>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Roland Dreier <roland@purestorage.com>,
Nicholas Bellinger <nab@linux-iscsi.org>,
Ben Hutchings <ben@decadent.org.uk>
Subject: [ 53/65] target: Fix possible integer underflow in UNMAP emulation
Date: Mon, 13 Aug 2012 15:14:37 -0700 [thread overview]
Message-ID: <20120813221419.646367350@linuxfoundation.org> (raw)
In-Reply-To: <20120813221414.965154048@linuxfoundation.org>
From: Greg KH <gregkh@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roland Dreier <roland@purestorage.com>
commit b7fc7f3777582dea85156a821d78a522a0c083aa upstream.
It's possible for an initiator to send us an UNMAP command with a
descriptor that is less than 8 bytes; in that case it's really bad for
us to set an unsigned int to that value, subtract 8 from it, and then
use that as a limit for our loop (since the value will wrap around to
a huge positive value).
Fix this by making size be signed and only looping if size >= 16 (ie
if we have at least a full descriptor available).
Also remove offset as an obfuscated name for the constant 8.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_cdb.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/target/target_core_cdb.c
+++ b/drivers/target/target_core_cdb.c
@@ -1023,9 +1023,10 @@ int target_emulate_unmap(struct se_task
struct se_device *dev = cmd->se_dev;
unsigned char *buf, *ptr = NULL;
sector_t lba;
- unsigned int size = cmd->data_length, range;
- int ret = 0, offset;
- unsigned short dl, bd_dl;
+ int size = cmd->data_length;
+ u32 range;
+ int ret = 0;
+ int dl, bd_dl;
if (!dev->transport->do_discard) {
pr_err("UNMAP emulation not supported for: %s\n",
@@ -1034,20 +1035,19 @@ int target_emulate_unmap(struct se_task
return -ENOSYS;
}
- /* First UNMAP block descriptor starts at 8 byte offset */
- offset = 8;
- size -= 8;
-
buf = transport_kmap_data_sg(cmd);
dl = get_unaligned_be16(&buf[0]);
bd_dl = get_unaligned_be16(&buf[2]);
- ptr = &buf[offset];
- pr_debug("UNMAP: Sub: %s Using dl: %hu bd_dl: %hu size: %hu"
+ size = min(size - 8, bd_dl);
+
+ /* First UNMAP block descriptor starts at 8 byte offset */
+ ptr = &buf[8];
+ pr_debug("UNMAP: Sub: %s Using dl: %u bd_dl: %u size: %u"
" ptr: %p\n", dev->transport->name, dl, bd_dl, size, ptr);
- while (size) {
+ while (size >= 16) {
lba = get_unaligned_be64(&ptr[0]);
range = get_unaligned_be32(&ptr[8]);
pr_debug("UNMAP: Using lba: %llu and range: %u\n",
next prev parent reply other threads:[~2012-08-13 22:22 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-13 22:13 [ 00/65] 3.4.9-stable review Greg Kroah-Hartman
2012-08-13 22:13 ` [ 01/65] [IA64] Redefine ATOMIC_INIT and ATOMIC64_INIT to drop the casts Greg Kroah-Hartman
2012-08-13 22:13 ` [ 02/65] asus-wmi: use ASUS_WMI_METHODID_DSTS2 as default DSTS ID Greg Kroah-Hartman
2012-08-13 22:13 ` [ 03/65] sunrpc: clnt: Add missing braces Greg Kroah-Hartman
2012-08-13 22:13 ` [ 04/65] SUNRPC: return negative value in case rpcbind client creation error Greg Kroah-Hartman
2012-08-13 22:13 ` [ 05/65] nilfs2: fix deadlock issue between chcp and thaw ioctls Greg Kroah-Hartman
2012-08-13 22:13 ` [ 06/65] media: ene_ir: Fix driver initialisation Greg Kroah-Hartman
2012-08-13 22:13 ` [ 07/65] pcdp: use early_ioremap/early_iounmap to access pcdp table Greg Kroah-Hartman
2012-08-13 22:13 ` [ 08/65] mm: fix wrong argument of migrate_huge_pages() in soft_offline_huge_page() Greg Kroah-Hartman
2012-08-13 22:13 ` [ 09/65] ARM: 7466/1: disable interrupt before spinning endlessly Greg Kroah-Hartman
2012-08-13 22:13 ` [ 10/65] ARM: 7467/1: mutex: use generic xchg-based implementation for ARMv6+ Greg Kroah-Hartman
2012-08-15 4:29 ` Ben Hutchings
2012-08-15 9:10 ` Will Deacon
2012-08-13 22:13 ` [ 11/65] ARM: 7476/1: vfp: only clear vfp state for current cpu in vfp_pm_suspend Greg Kroah-Hartman
2012-08-13 22:13 ` [ 12/65] ARM: 7477/1: vfp: Always save VFP state in vfp_pm_suspend on UP Greg Kroah-Hartman
2012-08-13 22:13 ` [ 13/65] ARM: 7478/1: errata: extend workaround for erratum #720789 Greg Kroah-Hartman
2012-08-13 22:13 ` [ 14/65] ARM: 7479/1: mm: avoid NULL dereference when flushing gate_vma with VIVT caches Greg Kroah-Hartman
2012-08-13 22:13 ` [ 15/65] ARM: 7480/1: only call smp_send_stop() on SMP Greg Kroah-Hartman
2012-08-13 22:14 ` [ 16/65] ARM: Fix undefined instruction exception handling Greg Kroah-Hartman
2012-08-13 22:14 ` [ 17/65] ALSA: hda - add dock support for Thinkpad T430s Greg Kroah-Hartman
2012-08-13 22:14 ` [ 18/65] ALSA: hda - add dock support for Thinkpad X230 Greg Kroah-Hartman
2012-08-13 22:14 ` [ 19/65] ALSA: hda - remove quirk for Dell Vostro 1015 Greg Kroah-Hartman
2012-08-13 22:14 ` [ 20/65] ALSA: hda - Fix double quirk for Quanta FL1 / Lenovo Ideapad Greg Kroah-Hartman
2012-08-13 22:14 ` [ 21/65] mm: mmu_notifier: fix freed page still mapped in secondary MMU Greg Kroah-Hartman
2012-08-13 22:14 ` [ 22/65] md/raid1: dont abort a resync on the first badblock Greg Kroah-Hartman
2012-08-13 22:14 ` [ 23/65] video/smscufx: fix line counting in fb_write Greg Kroah-Hartman
2012-08-13 22:14 ` [ 24/65] ore: Fix out-of-bounds access in _ios_obj() Greg Kroah-Hartman
2012-08-13 22:14 ` [ 25/65] ACPI processor: Fix tick_broadcast_mask online/offline regression Greg Kroah-Hartman
2012-08-13 22:14 ` [ 26/65] mac80211: cancel mesh path timer Greg Kroah-Hartman
2012-08-13 22:14 ` [ 27/65] ath9k: Add PID/VID support for AR1111 Greg Kroah-Hartman
2012-08-13 22:14 ` [ 28/65] wireless: reg: restore previous behaviour of chan->max_power calculations Greg Kroah-Hartman
2012-08-13 22:14 ` [ 29/65] x86, nops: Missing break resulting in incorrect selection on Intel Greg Kroah-Hartman
2012-08-13 22:14 ` [ 30/65] random: make add_interrupt_randomness() do something sane Greg Kroah-Hartman
2012-08-13 22:14 ` [ 31/65] random: use lockless techniques in the interrupt path Greg Kroah-Hartman
2012-08-13 22:14 ` [ 32/65] random: create add_device_randomness() interface Greg Kroah-Hartman
2012-08-13 22:14 ` [ 33/65] usb: feed USB device information to the /dev/random driver Greg Kroah-Hartman
2012-08-13 22:14 ` [ 34/65] net: feed /dev/random with the MAC address when registering a device Greg Kroah-Hartman
2012-08-13 22:14 ` [ 35/65] random: use the arch-specific rng in xfer_secondary_pool Greg Kroah-Hartman
2012-08-13 22:14 ` [ 36/65] random: add new get_random_bytes_arch() function Greg Kroah-Hartman
2012-08-13 22:14 ` [ 37/65] random: add tracepoints for easier debugging and verification Greg Kroah-Hartman
2012-08-13 22:14 ` [ 38/65] MAINTAINERS: Theodore Tso is taking over the random driver Greg Kroah-Hartman
2012-08-13 22:14 ` [ 39/65] rtc: wm831x: Feed the write counter into device_add_randomness() Greg Kroah-Hartman
2012-08-13 22:14 ` [ 40/65] mfd: wm831x: Feed the device UUID " Greg Kroah-Hartman
2012-08-13 22:14 ` [ 41/65] random: remove rand_initialize_irq() Greg Kroah-Hartman
2012-08-13 22:14 ` [ 42/65] random: Add comment to random_initialize() Greg Kroah-Hartman
2012-08-13 22:14 ` [ 43/65] dmi: Feed DMI table to /dev/random driver Greg Kroah-Hartman
2012-08-13 22:14 ` [ 44/65] random: mix in architectural randomness in extract_buf() Greg Kroah-Hartman
2012-08-13 22:14 ` [ 45/65] HID: multitouch: add support for Novatek touchscreen Greg Kroah-Hartman
2012-08-13 22:14 ` [ 46/65] HID: add support for Cypress barcode scanner 04B4:ED81 Greg Kroah-Hartman
2012-08-13 22:14 ` [ 47/65] HID: add ASUS AIO keyboard model AK1D Greg Kroah-Hartman
2012-08-13 22:14 ` [ 48/65] x86, microcode: microcode_core.c simple_strtoul cleanup Greg Kroah-Hartman
2012-08-13 22:14 ` [ 49/65] x86, microcode: Sanitize per-cpu microcode reloading interface Greg Kroah-Hartman
2012-08-13 22:14 ` [ 50/65] mm: hugetlbfs: close race during teardown of hugetlbfs shared page tables Greg Kroah-Hartman
2012-08-13 22:14 ` [ 51/65] target: Add range checking to UNMAP emulation Greg Kroah-Hartman
2012-08-13 22:14 ` [ 52/65] target: Fix reading of data length fields for UNMAP commands Greg Kroah-Hartman
2012-08-13 22:14 ` Greg Kroah-Hartman [this message]
2012-08-13 22:14 ` [ 54/65] target: Check number of unmap descriptors against our limit Greg Kroah-Hartman
2012-08-13 22:14 ` [ 55/65] ARM: mxs: Remove MMAP_MIN_ADDR setting from mxs_defconfig Greg Kroah-Hartman
2012-08-13 22:14 ` [ 56/65] ARM: dts: imx53-ard: add regulators for lan9220 Greg Kroah-Hartman
2012-08-13 22:14 ` [ 57/65] ARM: pxa: remove irq_to_gpio from ezx-pcap driver Greg Kroah-Hartman
2012-08-13 22:14 ` [ 58/65] cfg80211: process pending events when unregistering net device Greg Kroah-Hartman
2012-08-13 22:14 ` [ 59/65] cfg80211: fix interface combinations check for ADHOC(IBSS) Greg Kroah-Hartman
2012-08-13 22:14 ` [ 60/65] tun: dont zeroize sock->file on detach Greg Kroah-Hartman
2012-08-13 22:14 ` [ 61/65] iwlwifi: disable greenfield transmissions as a workaround Greg Kroah-Hartman
2012-08-13 22:14 ` [ 62/65] e1000e: NIC goes up and immediately goes down Greg Kroah-Hartman
2012-08-13 22:14 ` [ 63/65] Input: eeti_ts: pass gpio value instead of IRQ Greg Kroah-Hartman
2012-08-13 22:14 ` [ 64/65] Input: wacom - Bamboo One 1024 pressure fix Greg Kroah-Hartman
2012-08-13 22:14 ` [ 65/65] rt61pci: fix NULL pointer dereference in config_lna_gain Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120813221419.646367350@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ben@decadent.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=nab@linux-iscsi.org \
--cc=roland@purestorage.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).