[PATCH next] scsi: bsg: fix buffer overflow in scsi_bsg_uring

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH next] scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()
@ 2026-04-10 10:14 Dan Carpenter
  2026-04-10 12:41 ` Jens Axboe
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2026-04-10 10:14 UTC (permalink / raw)
  To: Yang Xiuwei
  Cc: James E.J. Bottomley, Martin K. Petersen, Jens Axboe,
	Bart Van Assche, linux-scsi, linux-kernel, kernel-janitors

The bounds checking in scsi_bsg_uring_cmd() does not work because
cmd->request_len is a u32 and scmd->cmd_len is a u16.  We check that
scmd->cmd_len is valid but if the cmd->request_len is more than
USHRT_MAX it would still lead to a buffer overflow when we do the
copy_from_user().

Fixes: 7b6d3255e7f8 ("scsi: bsg: add io_uring passthrough handler")
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
This email is a free service from the Smatch-CI project [smatch.sf.net].

 drivers/scsi/scsi_bsg.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/scsi_bsg.c b/drivers/scsi/scsi_bsg.c
index c3ce497a3b94..e80dec53174e 100644
--- a/drivers/scsi/scsi_bsg.c
+++ b/drivers/scsi/scsi_bsg.c
@@ -137,11 +137,11 @@ static int scsi_bsg_uring_cmd(struct request_queue *q, struct io_uring_cmd *iouc
 		return PTR_ERR(req);
 
 	scmd = blk_mq_rq_to_pdu(req);
-	scmd->cmd_len = cmd->request_len;
-	if (scmd->cmd_len > sizeof(scmd->cmnd)) {
+	if (cmd->request_len > sizeof(scmd->cmnd)) {
 		ret = -EINVAL;
 		goto out_free_req;
 	}
+	scmd->cmd_len = cmd->request_len;
 	scmd->allowed = SG_DEFAULT_RETRIES;
 
 	if (copy_from_user(scmd->cmnd, uptr64(cmd->request), cmd->request_len)) {
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH next] scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()
  2026-04-10 10:14 [PATCH next] scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd() Dan Carpenter
@ 2026-04-10 12:41 ` Jens Axboe
  0 siblings, 0 replies; 2+ messages in thread
From: Jens Axboe @ 2026-04-10 12:41 UTC (permalink / raw)
  To: Yang Xiuwei, Dan Carpenter
  Cc: James E.J. Bottomley, Martin K. Petersen, Bart Van Assche,
	linux-scsi, linux-kernel, kernel-janitors


On Fri, 10 Apr 2026 13:14:52 +0300, Dan Carpenter wrote:
> The bounds checking in scsi_bsg_uring_cmd() does not work because
> cmd->request_len is a u32 and scmd->cmd_len is a u16.  We check that
> scmd->cmd_len is valid but if the cmd->request_len is more than
> USHRT_MAX it would still lead to a buffer overflow when we do the
> copy_from_user().
> 
> 
> [...]

Applied, thanks!

[1/1] scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()
      commit: 0a42ca4d2bff6306dd574a7897258fd02c2e6930

Best regards,
-- 
Jens Axboe




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-10 12:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-10 10:14 [PATCH next] scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd() Dan Carpenter
2026-04-10 12:41 ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox