From: Xiaohui Zhang <ruc_zhangxiaohui@163.com>
To: Xiaohui Zhang <ruc_zhangxiaohui@163.com>,
"K. Y. Srinivasan" <kys@microsoft.com>,
Haiyang Zhang <haiyangz@microsoft.com>,
Stephen Hemminger <sthemmin@microsoft.com>,
Wei Liu <wei.liu@kernel.org>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-hyperv@vger.kernel.org, linux-scsi@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/1] scsi: Fix possible buffer overflows in storvsc_queuecommand
Date: Tue, 8 Dec 2020 21:19:18 +0800 [thread overview]
Message-ID: <20201208131918.31534-1-ruc_zhangxiaohui@163.com> (raw)
From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
storvsc_queuecommand() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
---
drivers/scsi/storvsc_drv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 0c65fbd41..09b60a4c0 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1729,6 +1729,8 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
vm_srb->cdb_length = scmnd->cmd_len;
+ if (vm_srb->cdb_length > STORVSC_MAX_CMD_LEN)
+ vm_srb->cdb_length = STORVSC_MAX_CMD_LEN;
memcpy(vm_srb->cdb, scmnd->cmnd, vm_srb->cdb_length);
sgl = (struct scatterlist *)scsi_sglist(scmnd);
--
2.17.1
next reply other threads:[~2020-12-08 13:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-08 13:19 Xiaohui Zhang [this message]
2020-12-08 16:30 ` [EXTERNAL] [PATCH 1/1] scsi: Fix possible buffer overflows in storvsc_queuecommand KY Srinivasan
2020-12-08 17:52 ` Michael Kelley
[not found] ` <56cde2c6.bb9.176451a57d7.Coremail.ruc_zhangxiaohui@163.com>
2020-12-09 13:31 ` Wei Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201208131918.31534-1-ruc_zhangxiaohui@163.com \
--to=ruc_zhangxiaohui@163.com \
--cc=haiyangz@microsoft.com \
--cc=jejb@linux.ibm.com \
--cc=kys@microsoft.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=sthemmin@microsoft.com \
--cc=wei.liu@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).