[PATCH 4.9 01/25] target: bounds check XCOPY segment descriptor list

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, David Disseldorp <ddiss@suse.de>,
	Christoph Hellwig <hch@lst.de>,
	Bart Van Assche <bart.vanassche@sandisk.com>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 01/25] target: bounds check XCOPY segment descriptor list
Date: Fri, 15 Jan 2021 13:27:32 +0100	[thread overview]
Message-ID: <20210115121956.756232949@linuxfoundation.org> (raw)
In-Reply-To: <20210115121956.679956165@linuxfoundation.org>

From: David Disseldorp <ddiss@suse.de>

[ Upstream commit af9f62c1686268c0517b289274d38f3a03bebd2a ]

Check the length of the XCOPY request segment descriptor list against
the value advertised via the MAXIMUM SEGMENT DESCRIPTOR COUNT field in
the RECEIVE COPY OPERATING PARAMETERS response.

spc4r37 6.4.3.5 states:
  If the number of segment descriptors exceeds the allowed number, the
  copy manager shall terminate the command with CHECK CONDITION status,
  with the sense key set to ILLEGAL REQUEST, and the additional sense
  code set to TOO MANY SEGMENT DESCRIPTORS.

This functionality is testable using the libiscsi
ExtendedCopy.DescrLimits test.

Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/target/target_core_xcopy.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c
index 18848ba8d2ba0..a63b2fff82cc6 100644
--- a/drivers/target/target_core_xcopy.c
+++ b/drivers/target/target_core_xcopy.c
@@ -305,17 +305,26 @@ static int target_xcopy_parse_segdesc_02(struct se_cmd *se_cmd, struct xcopy_op
 
 static int target_xcopy_parse_segment_descriptors(struct se_cmd *se_cmd,
 				struct xcopy_op *xop, unsigned char *p,
-				unsigned int sdll)
+				unsigned int sdll, sense_reason_t *sense_ret)
 {
 	unsigned char *desc = p;
 	unsigned int start = 0;
 	int offset = sdll % XCOPY_SEGMENT_DESC_LEN, rc, ret = 0;
 
+	*sense_ret = TCM_INVALID_PARAMETER_LIST;
+
 	if (offset != 0) {
 		pr_err("XCOPY segment descriptor list length is not"
 			" multiple of %d\n", XCOPY_SEGMENT_DESC_LEN);
 		return -EINVAL;
 	}
+	if (sdll > RCR_OP_MAX_SG_DESC_COUNT * XCOPY_SEGMENT_DESC_LEN) {
+		pr_err("XCOPY supports %u segment descriptor(s), sdll: %u too"
+			" large..\n", RCR_OP_MAX_SG_DESC_COUNT, sdll);
+		/* spc4r37 6.4.3.5 SEGMENT DESCRIPTOR LIST LENGTH field */
+		*sense_ret = TCM_TOO_MANY_SEGMENT_DESCS;
+		return -EINVAL;
+	}
 
 	while (start < sdll) {
 		/*
@@ -913,7 +922,8 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd)
 	seg_desc = &p[16];
 	seg_desc += (rc * XCOPY_TARGET_DESC_LEN);
 
-	rc = target_xcopy_parse_segment_descriptors(se_cmd, xop, seg_desc, sdll);
+	rc = target_xcopy_parse_segment_descriptors(se_cmd, xop, seg_desc,
+						    sdll, &ret);
 	if (rc <= 0) {
 		xcopy_pt_undepend_remotedev(xop);
 		goto out;
-- 
2.27.0

next prev parent reply	other threads:[~2021-01-15 13:06 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-15 12:27 [PATCH 4.9 00/25] 4.9.252-rc1 review Greg Kroah-Hartman
2021-01-15 12:27 ` Greg Kroah-Hartman [this message]
2021-01-15 12:27 ` [PATCH 4.9 02/25] target: simplify XCOPY wwn->se_dev lookup helper Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 03/25] target: use XCOPY segment descriptor CSCD IDs Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 04/25] xcopy: loop over devices using idr helper Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 05/25] scsi: target: Fix XCOPY NAA identifier lookup Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 06/25] target: add XCOPY target/segment desc sense codes Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 07/25] powerpc: Fix incorrect stw{, ux, u, x} instructions in __set_pte_at Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 08/25] net: ip: always refragment ip defragmented packets Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 09/25] net: fix pmtu check in nopmtudisc mode Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 10/25] vmlinux.lds.h: Add PGO and AutoFDO input sections Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 11/25] drm/i915: Fix mismatch between misplaced vma check and vma insert Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 12/25] ubifs: wbuf: Dont leak kernel memory to flash Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 13/25] spi: pxa2xx: Fix use-after-free on unbind Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 14/25] ARM: OMAP2+: omap_device: fix idling of devices during probe Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 15/25] cpufreq: powernow-k8: pass policy rather than use cpufreq_cpu_get() Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 16/25] dmaengine: xilinx_dma: check dma_async_device_register return value Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 17/25] dmaengine: xilinx_dma: fix mixed_enum_type coverity warning Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 18/25] wil6210: select CONFIG_CRC32 Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 19/25] block: rsxx: " Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 20/25] iommu/intel: Fix memleak in intel_irq_remapping_alloc Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 21/25] net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 22/25] wan: ds26522: select CONFIG_BITREVERSE Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 23/25] KVM: arm64: Dont access PMCR_EL0 when no PMU is available Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 24/25] block: fix use-after-free in disk_part_iter_next Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 25/25] net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of trimmed packet Greg Kroah-Hartman
2021-01-15 21:14 ` [PATCH 4.9 00/25] 4.9.252-rc1 review Shuah Khan
2021-01-15 21:18 ` Guenter Roeck
2021-01-16  7:41 ` Naresh Kamboju

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:18848ba8d2ba dfblob:a63b2fff82cc )
 OR (
bs:"[PATCH 4.9 01/25] target: bounds check XCOPY segment descriptor list" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210115121956.756232949@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=bart.vanassche@sandisk.com \
    --cc=ddiss@suse.de \
    --cc=hch@lst.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox