[PATCH v3] scsi: storvsc: Fix validation for unsolicited incoming packets

[PATCH v3] scsi: storvsc: Fix validation for unsolicited incoming packets

[Andrea Parri (Microsoft)]

The validation on the length of incoming packets performed in
storvsc_on_channel_callback() does not apply to unsolicited
packets with ID of 0 sent by Hyper-V.  Adjust the validation
for such unsolicited packets.

Fixes: 91b1b640b834b2 ("scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()")
Reported-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
---
Changes since v2[1]:
  - Adjust inline comments (Michael Kelley)

Changes since v1[2]:
  - Use sizeof(enum vstor_packet_operation) instead of 48 (Michael Kelley)
  - Filter out FCHBA_DATA packets (Michael Kelley)

Changes since RFC[3]:
  - Merge length checks (Haiyang Zhang)

[1] https://lkml.kernel.org/r/20211006132026.4089-1-parri.andrea@gmail.com
[2] https://lkml.kernel.org/r/20211005114103.3411-1-parri.andrea@gmail.com
[3] https://lkml.kernel.org/r/20210928163732.5908-1-parri.andrea@gmail.com

 drivers/scsi/storvsc_drv.c | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index ebbbc1299c625..9eb1b88a29dde 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1285,11 +1285,15 @@ static void storvsc_on_channel_callback(void *context)
 	foreach_vmbus_pkt(desc, channel) {
 		struct vstor_packet *packet = hv_pkt_data(desc);
 		struct storvsc_cmd_request *request = NULL;
+		u32 pktlen = hv_pkt_datalen(desc);
 		u64 rqst_id = desc->trans_id;
+		u32 minlen = rqst_id ? sizeof(struct vstor_packet) -
+			stor_device->vmscsi_size_delta : sizeof(enum vstor_packet_operation);
 
-		if (hv_pkt_datalen(desc) < sizeof(struct vstor_packet) -
-				stor_device->vmscsi_size_delta) {
-			dev_err(&device->device, "Invalid packet len\n");
+		if (pktlen < minlen) {
+			dev_err(&device->device,
+				"Invalid pkt: id=%llu, len=%u, minlen=%u\n",
+				rqst_id, pktlen, minlen);
 			continue;
 		}
 
@@ -1302,13 +1306,23 @@ static void storvsc_on_channel_callback(void *context)
 			if (rqst_id == 0) {
 				/*
 				 * storvsc_on_receive() looks at the vstor_packet in the message
-				 * from the ring buffer.  If the operation in the vstor_packet is
-				 * COMPLETE_IO, then we call storvsc_on_io_completion(), and
-				 * dereference the guest memory address.  Make sure we don't call
-				 * storvsc_on_io_completion() with a guest memory address that is
-				 * zero if Hyper-V were to construct and send such a bogus packet.
+				 * from the ring buffer.
+				 *
+				 * - If the operation in the vstor_packet is COMPLETE_IO, then
+				 *   we call storvsc_on_io_completion(), and dereference the
+				 *   guest memory address.  Make sure we don't call
+				 *   storvsc_on_io_completion() with a guest memory address
+				 *   that is zero if Hyper-V were to construct and send such
+				 *   a bogus packet.
+				 *
+				 * - If the operation in the vstor_packet is FCHBA_DATA, then
+				 *   we call cache_wwn(), and access the data payload area of
+				 *   the packet (wwn_packet); however, there is no guarantee
+				 *   that the packet is big enough to contain such area.
+				 *   Future-proof the code by rejecting such a bogus packet.
 				 */
-				if (packet->operation == VSTOR_OPERATION_COMPLETE_IO) {
+				if (packet->operation == VSTOR_OPERATION_COMPLETE_IO ||
+				    packet->operation == VSTOR_OPERATION_FCHBA_DATA) {
 					dev_err(&device->device, "Invalid packet with ID of 0\n");
 					continue;
 				}
-- 
2.25.1

RE: [PATCH v3] scsi: storvsc: Fix validation for unsolicited incoming packets

[Haiyang Zhang]

> -----Original Message-----
> From: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
> Sent: Thursday, October 7, 2021 8:28 AM
> To: linux-kernel@vger.kernel.org; linux-hyperv@vger.kernel.org; linux-
> scsi@vger.kernel.org
> Cc: KY Srinivasan <kys@microsoft.com>; Haiyang Zhang
> <haiyangz@microsoft.com>; Stephen Hemminger <sthemmin@microsoft.com>;
> Wei Liu <wei.liu@kernel.org>; James E . J . Bottomley
> <jejb@linux.ibm.com>; Martin K . Petersen <martin.petersen@oracle.com>;
> Michael Kelley <mikelley@microsoft.com>; Andrea Parri (Microsoft)
> <parri.andrea@gmail.com>; Dexuan Cui <decui@microsoft.com>
> Subject: [PATCH v3] scsi: storvsc: Fix validation for unsolicited
> incoming packets
> 
> The validation on the length of incoming packets performed in
> storvsc_on_channel_callback() does not apply to unsolicited packets with
> ID of 0 sent by Hyper-V.  Adjust the validation for such unsolicited
> packets.
> 
> Fixes: 91b1b640b834b2 ("scsi: storvsc: Validate length of incoming
> packet in storvsc_on_channel_callback()")
> Reported-by: Dexuan Cui <decui@microsoft.com>
> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
> Reviewed-by: Michael Kelley <mikelley@microsoft.com>
> ---

Thanks.

Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>

Re: [PATCH v3] scsi: storvsc: Fix validation for unsolicited incoming packets

[Martin K. Petersen]

On Thu, 7 Oct 2021 14:28:28 +0200, Andrea Parri (Microsoft) wrote:

> The validation on the length of incoming packets performed in
> storvsc_on_channel_callback() does not apply to unsolicited
> packets with ID of 0 sent by Hyper-V.  Adjust the validation
> for such unsolicited packets.
> 
> 

Applied to 5.15/scsi-fixes, thanks!

[1/1] scsi: storvsc: Fix validation for unsolicited incoming packets
      https://git.kernel.org/mkp/scsi/c/6fd13d699d24

-- 
Martin K. Petersen	Oracle Linux Engineering