diff mbox series

[v4,2/5] scsi: mpi3mr: fix alltgt_info copy size

Message ID 20230127063500.1278068-3-shinichiro.kawasaki@wdc.com
State New
Headers show
Series scsi: mpi3mr: fix issues found by KASAN | expand

Commit Message

Shinichiro Kawasaki Jan. 27, 2023, 6:34 a.m. UTC
The function mpi3mr_get_all_tgt_info calculates min_entrylen which holds
the valid entry length in alltgt_info. However, it does not refer
min_entrylen when it calls sg_copy_from_buffer to copy the valid entries
from alltgt_info to job->request_payload. Instead, it specifies the
payload length which is larger than the alltgt_info size, then it causes
"BUG: KASAN: slab-out-of-bounds". Fix the BUG by specifying the correct
length referring the calculated min_entrylen.

Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands")
Cc: stable@vger.kernel.org
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
---
 drivers/scsi/mpi3mr/mpi3mr_app.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Sathya Prakash Veerichetty Feb. 9, 2023, 5:51 p.m. UTC | #1
On Thu, Jan 26, 2023 at 11:35 PM Shin'ichiro Kawasaki
<shinichiro.kawasaki@wdc.com> wrote:
>
> The function mpi3mr_get_all_tgt_info calculates min_entrylen which holds
> the valid entry length in alltgt_info. However, it does not refer
> min_entrylen when it calls sg_copy_from_buffer to copy the valid entries
> from alltgt_info to job->request_payload. Instead, it specifies the
> payload length which is larger than the alltgt_info size, then it causes
> "BUG: KASAN: slab-out-of-bounds". Fix the BUG by specifying the correct
> length referring the calculated min_entrylen.

>>both this and the first patch could have been merged. We will do some more cleanup on this function and provide a new patch, we can hold 1 and 2 for now.
>
> Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands")
> Cc: stable@vger.kernel.org
> Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
> ---
>  drivers/scsi/mpi3mr/mpi3mr_app.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c
> index 49916ae617e5..7fb9505723cf 100644
> --- a/drivers/scsi/mpi3mr/mpi3mr_app.c
> +++ b/drivers/scsi/mpi3mr/mpi3mr_app.c
> @@ -359,7 +359,7 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc,
>
>         sg_copy_from_buffer(job->request_payload.sg_list,
>                             job->request_payload.sg_cnt,
> -                           alltgt_info, job->request_payload.payload_len);
> +                           alltgt_info, sizeof(*alltgt_info) + min_entrylen);
>         rval = 0;
>  out:
>         kfree(alltgt_info);
> --
> 2.38.1
>
Shinichiro Kawasaki Feb. 14, 2023, 12:26 a.m. UTC | #2
On Feb 09, 2023 / 10:51, Sathya Prakash Veerichetty wrote:
> On Thu, Jan 26, 2023 at 11:35 PM Shin'ichiro Kawasaki
> <shinichiro.kawasaki@wdc.com> wrote:
> >
> > The function mpi3mr_get_all_tgt_info calculates min_entrylen which holds
> > the valid entry length in alltgt_info. However, it does not refer
> > min_entrylen when it calls sg_copy_from_buffer to copy the valid entries
> > from alltgt_info to job->request_payload. Instead, it specifies the
> > payload length which is larger than the alltgt_info size, then it causes
> > "BUG: KASAN: slab-out-of-bounds". Fix the BUG by specifying the correct
> > length referring the calculated min_entrylen.
> 
> >>both this and the first patch could have been merged. We will do some more cleanup on this function and provide a new patch, we can hold 1 and 2 for now.

I see. I will squash the first patch and the second patch in v5 series.
diff mbox series

Patch

diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c
index 49916ae617e5..7fb9505723cf 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_app.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_app.c
@@ -359,7 +359,7 @@  static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc,
 
 	sg_copy_from_buffer(job->request_payload.sg_list,
 			    job->request_payload.sg_cnt,
-			    alltgt_info, job->request_payload.payload_len);
+			    alltgt_info, sizeof(*alltgt_info) + min_entrylen);
 	rval = 0;
 out:
 	kfree(alltgt_info);