[PATCH 4.4 12/26] iscsi-target: Reject immediate data underflow larger than SCSI transfer length

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Roland Dreier <roland@purestorage.com>,
	Mike Christie <mchristi@redhat.com>,
	Hannes Reinecke <hare@suse.de>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	Nicholas Bellinger <nab@linux-iscsi.org>
Subject: [PATCH 4.4 12/26] iscsi-target: Reject immediate data underflow larger than SCSI transfer length
Date: Tue, 27 Jun 2017 14:49:49 +0200	[thread overview]
Message-ID: <20170627124530.472616143@linuxfoundation.org> (raw)
In-Reply-To: <20170627124528.581163327@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit abb85a9b512e8ca7ad04a5a8a6db9664fe644974 upstream.

When iscsi WRITE underflow occurs there are two different scenarios
that can happen.

Normally in practice, when an EDTL vs. SCSI CDB TRANSFER LENGTH
underflow is detected, the iscsi immediate data payload is the
smaller SCSI CDB TRANSFER LENGTH.

That is, when a host fabric LLD is using a fixed size EDTL for
a specific control CDB, the SCSI CDB TRANSFER LENGTH and actual
SCSI payload ends up being smaller than EDTL.  In iscsi, this
means the received iscsi immediate data payload matches the
smaller SCSI CDB TRANSFER LENGTH, because there is no more
SCSI payload to accept beyond SCSI CDB TRANSFER LENGTH.

However, it's possible for a malicous host to send a WRITE
underflow where EDTL is larger than SCSI CDB TRANSFER LENGTH,
but incoming iscsi immediate data actually matches EDTL.

In the wild, we've never had a iscsi host environment actually
try to do this.

For this special case, it's wrong to truncate part of the
control CDB payload and continue to process the command during
underflow when immediate data payload received was larger than
SCSI CDB TRANSFER LENGTH, so go ahead and reject and drop the
bogus payload as a defensive action.

Note this potential bug was originally relaxed by the following
for allowing WRITE underflow in MSFT FCP host environments:

   commit c72c5250224d475614a00c1d7e54a67f77cd3410
   Author: Roland Dreier <roland@purestorage.com>
   Date:   Wed Jul 22 15:08:18 2015 -0700

      target: allow underflow/overflow for PR OUT etc. commands

Cc: Roland Dreier <roland@purestorage.com>
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/iscsi/iscsi_target.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -1112,6 +1112,18 @@ iscsit_get_immediate_data(struct iscsi_c
 	 */
 	if (dump_payload)
 		goto after_immediate_data;
+	/*
+	 * Check for underflow case where both EDTL and immediate data payload
+	 * exceeds what is presented by CDB's TRANSFER LENGTH, and what has
+	 * already been set in target_cmd_size_check() as se_cmd->data_length.
+	 *
+	 * For this special case, fail the command and dump the immediate data
+	 * payload.
+	 */
+	if (cmd->first_burst_len > cmd->se_cmd.data_length) {
+		cmd->sense_reason = TCM_INVALID_CDB_FIELD;
+		goto after_immediate_data;
+	}

 	immed_ret = iscsit_handle_immediate_data(cmd, hdr,
 					cmd->first_burst_len);

next prev parent reply	other threads:[~2017-06-27 12:51 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-27 12:49 [PATCH 4.4 00/26] 4.4.75-stable review Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 01/26] fs/exec.c: account for argv/envp pointers Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 02/26] autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 03/26] lib/cmdline.c: fix get_options() overflow while parsing ranges Greg Kroah-Hartman
2017-06-29 18:24   ` Ben Hutchings
2017-09-27 10:36     ` Ilya Matveychikov
2017-06-27 12:49 ` [PATCH 4.4 04/26] KVM: PPC: Book3S HV: Preserve userspace HTM state properly Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 05/26] CIFS: Improve readdir verbosity Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 06/26] HID: Add quirk for Dell PIXART OEM mouse Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 07/26] signal: Only reschedule timers on signals timers have sent Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 08/26] powerpc/kprobes: Pause function_graph tracing during jprobes handling Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 09/26] Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 10/26] time: Fix clock->read(clock) race around clocksource changes Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 11/26] target: Fix kref->refcount underflow in transport_cmd_finish_abort Greg Kroah-Hartman
2017-06-27 12:49 ` Greg Kroah-Hartman [this message]
2017-06-27 12:49 ` [PATCH 4.4 13/26] drm/radeon: add a PX quirk for another K53TK variant Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 14/26] drm/radeon: add a quirk for Toshiba Satellite L20-183 Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 17/26] USB: usbip: fix nonconforming hub descriptor Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 19/26] of: Add check to of_scan_flat_dt() before accessing initial_boot_params Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 21/26] powerpc/slb: Force a full SLB flush when we insert for a bad EA Greg Kroah-Hartman
2017-06-27 12:49 ` [PATCH 4.4 22/26] usb: gadget: f_fs: avoid out of bounds access on comp_desc Greg Kroah-Hartman
2017-06-27 12:50 ` [PATCH 4.4 23/26] net: phy: Initialize mdio clock at probe function Greg Kroah-Hartman
2017-06-27 12:50 ` [PATCH 4.4 24/26] net: phy: fix marvell phy status reading Greg Kroah-Hartman
2017-06-27 12:50 ` [PATCH 4.4 25/26] nvme/quirk: Add a delay before checking for adapter readiness Greg Kroah-Hartman
2017-06-27 12:50 ` [PATCH 4.4 26/26] nvme: apply DELAY_BEFORE_CHK_RDY quirk at probe time too Greg Kroah-Hartman
2017-06-27 19:02 ` [PATCH 4.4 00/26] 4.4.75-stable review Guenter Roeck
2017-06-28 13:52 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170627124530.472616143@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=hare@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=mchristi@redhat.com \
    --cc=nab@linux-iscsi.org \
    --cc=roland@purestorage.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox