[0/3] Log correct rpmb unit descriptor size

Message ID	20210727123546.17228-1-avri.altman@wdc.com
Headers	show Return-Path: <linux-scsi-owner@kernel.org> IronPort-SDR: 9wdRZ+QaH5cvF/GxVZjPoXPDQPZf9BjKphI8fZZDKgC44kXZEteFLi51VT2Oep/WBah9iJ368l mHLdUPmz8Dz74NQnOVYFI3YxkduVb2U5Csa7KGS16iY8qX47g1we/c6OBachodZDqFtNeaLKIw Svu2BHFcWo4zEi9xpFNX54SdRzq8cdKqkU1/VL1m+0etKnLLS+x0k8PGliTwNNrrOBTAU+jGqZ TEf2eguMP8X0bBzno8XQChHrG7/wgWYJyQ3g1lLdzG0VIklBiY9RA3C8+/I5ccOZdvV4XWf0ib JfpXJOxi1sZeRmbflqSmJqbp IronPort-SDR: AMX8hAcB1MQMnHrSu4xahtJCNC4ej7Ff1JWlvuuvK8uq0rbldYfDkKwlLw8hqj7v8dS8D3VTpd lIZCW9/wItTL/ibkExEQiVufe2oy3KOO04C8WJF5qgWyIopwWqc58oHGBhKTL9hvRUXCqWE/Yi G3/MNbQeFSxgqEcvwH2vg+vvcfls/BvjqI3UpM/7paIqWWh45Mk18FAxaGn1fb/TU6n/4kKWix HyiRROaEZzpVOv7hjlFMTYTqCnI9N49QTHAuq9Lst81o9q5Aw62gj+UOXMacuAd1b/ohB+mJH2 PUU= WDCIronportException: Internal From: Avri Altman <avri.altman@wdc.com> To: "James E . J . Bottomley" <jejb@linux.ibm.com>, "Martin K . Petersen" <martin.petersen@oracle.com>, linux-scsi@vger.kernel.org Cc: Bart Van Assche <bvanassche@acm.org>, Bean Huo <beanhuo@micron.com>, Alim Akhtar <alim.akhtar@samsung.com>, Avri Altman <avri.altman@wdc.com> Subject: [PATCH 0/3] Log correct rpmb unit descriptor size Date: Tue, 27 Jul 2021 15:35:43 +0300 Message-Id: <20210727123546.17228-1-avri.altman@wdc.com> Precedence: bulk
Series	Log correct rpmb unit descriptor size \| expand [0/3] Log correct rpmb unit descriptor size [1/3] scsi: ufs: Remove redundant define [2/3] scsi: ufs: Map the correct size to the rpmb unit descriptor [3/3] scsi: ufs: Generalize ufs_is_valid_unit_desc_lun()

Message ID

20210727123546.17228-1-avri.altman@wdc.com

Headers

IronPort-SDR: 9wdRZ+QaH5cvF/GxVZjPoXPDQPZf9BjKphI8fZZDKgC44kXZEteFLi51VT2Oep/WBah9iJ368l
	mHLdUPmz8Dz74NQnOVYFI3YxkduVb2U5Csa7KGS16iY8qX47g1we/c6OBachodZDqFtNeaLKIw
	Svu2BHFcWo4zEi9xpFNX54SdRzq8cdKqkU1/VL1m+0etKnLLS+x0k8PGliTwNNrrOBTAU+jGqZ
	TEf2eguMP8X0bBzno8XQChHrG7/wgWYJyQ3g1lLdzG0VIklBiY9RA3C8+/I5ccOZdvV4XWf0ib
	JfpXJOxi1sZeRmbflqSmJqbp
IronPort-SDR: AMX8hAcB1MQMnHrSu4xahtJCNC4ej7Ff1JWlvuuvK8uq0rbldYfDkKwlLw8hqj7v8dS8D3VTpd
	lIZCW9/wItTL/ibkExEQiVufe2oy3KOO04C8WJF5qgWyIopwWqc58oHGBhKTL9hvRUXCqWE/Yi
	G3/MNbQeFSxgqEcvwH2vg+vvcfls/BvjqI3UpM/7paIqWWh45Mk18FAxaGn1fb/TU6n/4kKWix
	HyiRROaEZzpVOv7hjlFMTYTqCnI9N49QTHAuq9Lst81o9q5Aw62gj+UOXMacuAd1b/ohB+mJH2
	PUU=
WDCIronportException: Internal
From: Avri Altman <avri.altman@wdc.com>
To: "James E . J . Bottomley" <jejb@linux.ibm.com>,
	"Martin K . Petersen" <martin.petersen@oracle.com>,
	linux-scsi@vger.kernel.org
Cc: Bart Van Assche <bvanassche@acm.org>, Bean Huo <beanhuo@micron.com>,
	Alim Akhtar <alim.akhtar@samsung.com>, Avri Altman <avri.altman@wdc.com>
Subject: [PATCH 0/3] Log correct rpmb unit descriptor size
Date: Tue, 27 Jul 2021 15:35:43 +0300
Message-Id: <20210727123546.17228-1-avri.altman@wdc.com>
Precedence: bulk

Series

Log correct rpmb unit descriptor size | expand

Message

Avri Altman July 27, 2021, 12:35 p.m. UTC

For the rpmb unit descriptor, if the field offset is larger than 0x23,
it may trigger a stack corruption because a) we do not log properly the
rpmb unit descriptor size,  and b) ufs_is_valid_unit_desc_lun() test for
specific wb offset case, and does not verify that the requested field
does not exceed the descriptor size.

Fix both issues.

Reported-by: Bart Van Assche <bvanassche@google.com>

Avri Altman (3):
  scsi: ufs: Remove redundant define
  scsi: ufs: Map the correct size to the rpmb unit descriptor
  scsi: ufs: Generalize ufs_is_valid_unit_desc_lun()

 drivers/scsi/ufs/ufs-sysfs.c |  2 +-
 drivers/scsi/ufs/ufs.h       | 21 +--------------------
 drivers/scsi/ufs/ufs_bsg.c   |  3 ++-
 drivers/scsi/ufs/ufshcd.c    | 19 ++++++++++++-------
 drivers/scsi/ufs/ufshcd.h    | 27 ++++++++++++++++++++++++++-
 5 files changed, 42 insertions(+), 30 deletions(-)

Comments

Martin K. Petersen Aug. 6, 2021, 3:03 a.m. UTC | #1

Avri,

> For the rpmb unit descriptor, if the field offset is larger than 0x23,

> it may trigger a stack corruption because a) we do not log properly the

> rpmb unit descriptor size,  and b) ufs_is_valid_unit_desc_lun() test for

> specific wb offset case, and does not verify that the requested field

> does not exceed the descriptor size.


Please rebase on top of 5.15/scsi-staging and fix the resulting
errors. Thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering