[PATCH 5.10.y 2/3] scsi: core: Fix scsi_mode_select() buffer length handling

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Vasiliy Kovalev <kovalev@altlinux.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>,
	stable@vger.kernel.org
Cc: "Martin K . Petersen" <martin.petersen@oracle.com>,
	"James E . J . Bottomley" <jejb@linux.ibm.com>,
	Damien Le Moal <damien.lemoal@wdc.com>,
	linux-scsi@vger.kernel.org, lvc-project@linuxtesting.org,
	kovalev@altlinux.org, nickel@altlinux.org, gerben@altlinux.org,
	dutyrok@altlinux.org
Subject: [PATCH 5.10.y 2/3] scsi: core: Fix scsi_mode_select() buffer length handling
Date: Mon,  9 Dec 2024 20:03:29 +0300	[thread overview]
Message-ID: <20241209170330.113179-3-kovalev@altlinux.org> (raw)
In-Reply-To: <20241209170330.113179-1-kovalev@altlinux.org>

From: Damien Le Moal <damien.lemoal@wdc.com>

commit a7d6840bed0c2b16ac3071b74b5fcf08fc488241 upstream.

The MODE SELECT(6) command allows handling mode page buffers that are up to
255 bytes, including the 4 byte header needed in front of the page
buffer. For requests larger than this limit, automatically use the MODE
SELECT(10) command.

In both cases, since scsi_mode_select() adds the mode select page header,
checks on the buffer length value must include this header size to avoid
overflows of the command CDB allocation length field.

While at it, use put_unaligned_be16() for setting the header block
descriptor length and CDB allocation length when using MODE SELECT(10).

[mkp: fix MODE SENSE vs. MODE SELECT confusion]

Link: https://lore.kernel.org/r/20210820070255.682775-3-damien.lemoal@wdc.com
Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
 drivers/scsi/scsi_lib.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 0a9db3464fd48e..06838cf5300d00 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2019,8 +2019,15 @@ scsi_mode_select(struct scsi_device *sdev, int pf, int sp, int modepage,
 	memset(cmd, 0, sizeof(cmd));
 	cmd[1] = (pf ? 0x10 : 0) | (sp ? 0x01 : 0);
 
-	if (sdev->use_10_for_ms) {
-		if (len > 65535)
+	/*
+	 * Use MODE SELECT(10) if the device asked for it or if the mode page
+	 * and the mode select header cannot fit within the maximumm 255 bytes
+	 * of the MODE SELECT(6) command.
+	 */
+	if (sdev->use_10_for_ms ||
+	    len + 4 > 255 ||
+	    data->block_descriptor_length > 255) {
+		if (len > 65535 - 8)
 			return -EINVAL;
 		real_buffer = kmalloc(8 + len, GFP_KERNEL);
 		if (!real_buffer)
@@ -2033,15 +2040,13 @@ scsi_mode_select(struct scsi_device *sdev, int pf, int sp, int modepage,
 		real_buffer[3] = data->device_specific;
 		real_buffer[4] = data->longlba ? 0x01 : 0;
 		real_buffer[5] = 0;
-		real_buffer[6] = data->block_descriptor_length >> 8;
-		real_buffer[7] = data->block_descriptor_length;
+		put_unaligned_be16(data->block_descriptor_length,
+				   &real_buffer[6]);
 
 		cmd[0] = MODE_SELECT_10;
-		cmd[7] = len >> 8;
-		cmd[8] = len;
+		put_unaligned_be16(len, &cmd[7]);
 	} else {
-		if (len > 255 || data->block_descriptor_length > 255 ||
-		    data->longlba)
+		if (data->longlba)
 			return -EINVAL;
 
 		real_buffer = kmalloc(4 + len, GFP_KERNEL);
-- 
2.33.8

next prev parent reply	other threads:[~2024-12-09 17:03 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-09 17:03 [PATCH v2 5.10.y 0/3] scsi: Backport fixes for CVE-2021-47182 Vasiliy Kovalev
2024-12-09 17:03 ` [PATCH 5.10.y 1/3] scsi: core: Fix scsi_mode_sense() buffer length handling Vasiliy Kovalev
2024-12-09 20:55   ` Sasha Levin
2024-12-09 17:03 ` Vasiliy Kovalev [this message]
2024-12-09 20:55   ` [PATCH 5.10.y 2/3] scsi: core: Fix scsi_mode_select() " Sasha Levin
2024-12-09 17:03 ` [PATCH 5.10.y 3/3] scsi: sd: Fix sd_do_mode_sense() " Vasiliy Kovalev
2024-12-09 20:55   ` Sasha Levin
2025-01-30 21:26 ` [PATCH v2 5.10.y 0/3] scsi: Backport fixes for CVE-2021-47182 Vasiliy Kovalev

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0a9db3464fd48 dfblob:06838cf5300d0 )
 OR (
bs:"[PATCH 5.10.y 2/3] scsi: core: Fix scsi_mode_select() buffer length handling" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241209170330.113179-3-kovalev@altlinux.org \
    --to=kovalev@altlinux.org \
    --cc=damien.lemoal@wdc.com \
    --cc=dutyrok@altlinux.org \
    --cc=gerben@altlinux.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jejb@linux.ibm.com \
    --cc=linux-scsi@vger.kernel.org \
    --cc=lvc-project@linuxtesting.org \
    --cc=martin.petersen@oracle.com \
    --cc=nickel@altlinux.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox