From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A1B62EBDFA for ; Sat, 11 Jul 2026 15:07:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783782462; cv=none; b=Unh0ML2L79uNN5p4QX0TzvmKhm4d1okCESG6B/yrTslycbqlp83rD8zjAnTlg4SVVD3FwUn6K7xuZg7c1PP6YsA/IZLN28jl3AgqJnYTXhJzoRe5f+2eU3go6+kxDY7Z5GaWoVkjXRmYfrMjGTyG9ui6zTsQceGaiA7kWE1SS9Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783782462; c=relaxed/simple; bh=C6OXZLDcXKYzr72BNOQU/VVln5KF7AQKUiA2CLDJY7s=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ubDMua6z7KKukk7DrPTqsLmUP5e8u5eWWoYw/Y6HEKr8LizB7THFlXK+XBEi2A3dQNTUKZPtmNXWQlEzo/ZEQwWz8RhIMi4KZxf7Oe/BgZxzVC3B69c+MPhSCGLB6ndeerRHRRG1Vbfsrc0uyLul3mfmQNSnIKZ/GUGUM/FWcic= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NdZG2C0E; arc=none smtp.client-ip=209.85.222.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NdZG2C0E" Received: by mail-qk1-f180.google.com with SMTP id af79cd13be357-92b21f65b60so172545485a.1 for ; Sat, 11 Jul 2026 08:07:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783782460; x=1784387260; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to:content-type; bh=3aoCw1gmDBSrdw433SXik9FK3EyXMsmdMSQruhZZCAY=; b=NdZG2C0EnoR25Ae3+4Fo8YXMm8WjmQcsT+ZoLm7TRj49HMzsXwVMUAfJJZq/ODtuA+ oc5ySaeQdfCQLyV4VAUVKstWfL5qdu64qjmARElbj/PBJzxI/P2T6BkbEVn4rb7L9HbB TPstmQ4Q5pQCdkYBnc6eoMQM2m7kcfoBSpUQsQttYewkKDoegflwsD3ZbhDzpO+a3yhq zlc2/q9fyFcOjo5rbAC1bBiHN1lTbCMROJlum+c7hX8Usjj8OUSiE91ZvOnq60OiqONO OleScjAfyTbG0LP4cBU/InRSfxsRfHUbXY3hLQ13N4xUYJGpdjv4iujR4FaRUa0m1xUr zvwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783782460; x=1784387260; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to:content-type; bh=3aoCw1gmDBSrdw433SXik9FK3EyXMsmdMSQruhZZCAY=; b=ppcs+7+zFmzXBfWbisuOTgoCnoa2CZEQNn4HLFuRXVRgqOutextQddEulmjNXYdKkN dl4r6klaQ/yVrPCLOwEHN5m8k40FRF3Fy/a/4zvxDxgtO2SRhflyFyV/JlKB7ULXbpzG 6u3qxVN+sf/5FHugrs5/BmseViN0YUyHBS8nFXl+hPENzUDZ1Hj540PNxqLx0gNkErx6 k4ahsunqDJLR9zf4ZPL9vp2Lq9iSBDxSQTcY3XJU72dojX/EMU1G5aaJfisJPMzSEx4v 0iO4HBjDVHByqG7bir6c2Ycfto4XMFrRtzCE0ySzcr5hqaqEhCwIBSuPI11ZvdaV4d+i f3sw== X-Forwarded-Encrypted: i=1; AHgh+RrN5SwZAQLVBksJqXAD+D3S4ObBssJuKUae4pbxDzSh/+dwSiLGTEZXnJZUU6yjJJK8Dz18kW4PkoScDGo=@vger.kernel.org X-Gm-Message-State: AOJu0YwNyPoewrwOagAwtNVJjApf94aijUanTnhqHhi0iJWfjmeQHHpm hIVZDdYrYraNuFkTwYWI28tSJ8NCT3AfUnPyKTxwAlwbHQ6chX/ZBlGf X-Gm-Gg: AfdE7clG1Fae3tpKdEGbiXDTy0trmz3GGKFsr3lziGr3EuCXDl4y7tAGg1ZyWZSGk70 UyjXOxmlaxVPm+KXqyvTA/ihgZlF0GiVJKOR5e2X4+jQ+/KZBpFaFI99rna+hY3P5fTCTjo/Yt0 lj6oMlXDeeu3ZYqzPnJnxYj+MG/cm0YlLLAMFIyNr7gUkVdKGE0+q9ZAYwoj6qg0ENY2fFw1TWj YljCsS05xOmMevbl+MGsnzQ9/T4WrY0kzZF7GxUegSNPrEONKorcGJAfKkjtSRL5lOvnqPuszBo qiL9RDIHkMszMSkW7cGEorOf80qDMKxJHqKg71ER/27l2+vTF3kenOd7p9dQaSU7Q8gMNGNliJ/ LpVMidNQEnChTUffxBqXWtc0UENSxrAbSdgSKYPn6Dsd81ZAK1bfxrxUeZMBnzaF7Swa3TwH8Td Q2w6FTsODqVA7tt5uqYn0Rfs74Dvbcrqwq5TARUutieRXCB2FUn4Alpg7l+QwH9DQWCxU2xR0yb TIt+qBIDw== X-Received: by 2002:a05:620a:4398:b0:92e:56ea:ec69 with SMTP id af79cd13be357-92ef3ed554dmr283777685a.31.1783782460256; Sat, 11 Jul 2026 08:07:40 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-92ee5d69a78sm472464485a.44.2026.07.11.08.07.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Jul 2026 08:07:39 -0700 (PDT) From: Michael Bommarito To: "James E.J. Bottomley" , "Martin K. Petersen" Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH] scsi: sd: bound the IO hints descriptor walk to the buffer Date: Sat, 11 Jul 2026 11:07:36 -0400 Message-ID: <20260711150736.2917641-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit sd_read_io_hints() computes the end of the IO group descriptor list from the mode-sense reply as buffer + (data.header_length + data.length), where data.length is the device-reported mode data length. A device (or a compromised virtio/hypervisor block backend) that reports a length larger than the SD_BUF_SIZE buffer scsi_mode_sense() actually filled makes the subsequent "for (desc = start; desc < end; desc++)" loop read past the buffer. Impact: a malicious or malfunctioning SCSI/SATA device, or a compromised hypervisor block backend, drives an out-of-bounds read of the mode-sense buffer (KASAN) while parsing permanent-stream IO hints at attach time. Clamp the descriptor region to SD_BUF_SIZE before deriving the end pointer. Fixes: 4f53138fffc2 ("scsi: sd: Translate data lifetime information") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Michael Bommarito --- drivers/scsi/sd.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 599e75f333343..eec383cbc39f1 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3304,6 +3304,7 @@ static void sd_read_io_hints(struct scsi_disk *sdkp, unsigned char *buffer) struct scsi_sense_hdr sshdr; struct scsi_mode_data data; int res; + u32 len; if (sdp->sdev_bflags & BLIST_SKIP_IO_HINTS) return; @@ -3313,9 +3314,17 @@ static void sd_read_io_hints(struct scsi_disk *sdkp, unsigned char *buffer) sdkp->max_retries, &data, &sshdr); if (res < 0) return; + /* + * The device-reported mode data length can exceed the buffer that + * was actually transferred; clamp it so the descriptor walk stays + * within buffer[SD_BUF_SIZE]. + */ + if (data.length > SD_BUF_SIZE - data.header_length) + len = SD_BUF_SIZE; + else + len = data.header_length + data.length; start = (void *)buffer + data.header_length + 16; - end = (void *)buffer + ALIGN_DOWN(data.header_length + data.length, - sizeof(*end)); + end = (void *)buffer + ALIGN_DOWN(len, sizeof(*end)); /* * From "SBC-5 Constrained Streams with Data Lifetimes": Device severs * should assign the lowest numbered stream identifiers to permanent -- 2.53.0