[PATCH 5.10/5.15] scsi: add a length check for VARIABLE_LENGTH

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 5.10/5.15] scsi: add a length check for VARIABLE_LENGTH_CMD commands
@ 2024-03-06 13:50 Mikhail Ukhin
  2024-03-06 13:51 ` kernel test robot
  0 siblings, 1 reply; 2+ messages in thread
From: Mikhail Ukhin @ 2024-03-06 13:50 UTC (permalink / raw)
  To: Dave Kleikamp, Christian Brauner, Jens Axboe, Jan Kara,
	Greg Kroah-Hartman
  Cc: Mikhail Ukhin, jfs-discussion, stable, lvc-project, linux-kernel,
	Pavel Koshutin, Artem Sadovnikov, Mikhail Ivanov

Fuzzing of 5.10 stable branch reports a slab-out-of-bounds error in
ata_scsi_pass_thru.

The error is fixed in 5.18 by commit
ce70fd9a551af7424a7dace2a1ba05a7de8eae27.
Backporting this commit would require significant changes to the code so
it is bettter to use a simple fix for that particular error.

The problem is that the length of the received SCSI command is not
validated if scsi_op == VARIABLE_LENGTH_CMD. It can lead to out-of-bounds
reading if the user sends a request with SCSI command of length less than
32.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Signed-off-by: Artem Sadovnikov <ancowi69@gmail.com>
Signed-off-by: Mikhail Ivanov <iwanov-23@bk.ru>
---
 drivers/ata/libata-scsi.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
index dfa090ccd21c..77589e911d3d 100644
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -4065,6 +4065,9 @@ int __ata_scsi_queuecmd(struct scsi_cmnd *scmd, struct ata_device *dev)

 	if (unlikely(!scmd->cmd_len))
 		goto bad_cdb_len;
+
+	if (scsi_op == VARIABLE_LENGTH_CMD && scmd->cmd_len < 32)
+		goto bad_cdb_len;

 	if (dev->class == ATA_DEV_ATA || dev->class == ATA_DEV_ZAC) {
 		if (unlikely(scmd->cmd_len > dev->cdb_len))
-- 
2.25.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 5.10/5.15] scsi: add a length check for VARIABLE_LENGTH_CMD commands
  2024-03-06 13:50 [PATCH 5.10/5.15] scsi: add a length check for VARIABLE_LENGTH_CMD commands Mikhail Ukhin
@ 2024-03-06 13:51 ` kernel test robot
  0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2024-03-06 13:51 UTC (permalink / raw)
  To: Mikhail Ukhin; +Cc: stable, oe-kbuild-all

Hi,

Thanks for your patch.

FYI: kernel test robot notices the stable kernel rule is not satisfied.

The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#option-3

Rule: The upstream commit ID must be specified with a separate line above the commit text.
Subject: [PATCH 5.10/5.15] scsi: add a length check for VARIABLE_LENGTH_CMD commands
Link: https://lore.kernel.org/stable/20240306135010.9250-1-mish.uxin2012%40yandex.ru

Please ignore this mail if the patch is not relevant for upstream.

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-03-06 13:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-06 13:50 [PATCH 5.10/5.15] scsi: add a length check for VARIABLE_LENGTH_CMD commands Mikhail Ukhin
2024-03-06 13:51 ` kernel test robot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox