From: Fullway Wang <fullwaywang@outlook.com>
To: bootc@bootc.net, martin.petersen@oracle.com
Cc: linux-scsi@vger.kernel.org, target-devel@vger.kernel.org,
linux-kernel@vger.kernel.org, fullwaywang@tencent.com,
Fullway Wang <fullwaywang@outlook.com>
Subject: [PATCH] target: sbp: integer overflow and potential memory corruption
Date: Thu, 18 Jan 2024 11:19:59 +0800 [thread overview]
Message-ID: <PH7PR20MB59258C767EF853A54273B3A7BF712@PH7PR20MB5925.namprd20.prod.outlook.com> (raw)
The code in sbp_make_tpg() is confusing because tpgt was limited
to UINT_MAX but the datatype of tpg->tport_tpgt is actually u16.
Correctly fix the data type problem to avoid integer overflow.
This is similar to CVE-2015-4036 in the sense that sbp is a clone
of vhost/scsi, and the bug was inherited but never fixed.
Signed-off-by: Fullway Wang <fullwaywang@outlook.com>
---
drivers/target/sbp/sbp_target.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c
index b604fcae21e1..1ba742ee48b0 100644
--- a/drivers/target/sbp/sbp_target.c
+++ b/drivers/target/sbp/sbp_target.c
@@ -43,6 +43,7 @@ static const u32 sbp_unit_directory_template[] = {
};
#define SESSION_MAINTENANCE_INTERVAL HZ
+#define SBP_MAX_TARGET 256
static atomic_t login_id = ATOMIC_INIT(0);
@@ -1961,12 +1962,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn,
container_of(wwn, struct sbp_tport, tport_wwn);
struct sbp_tpg *tpg;
- unsigned long tpgt;
+ u16 tpgt;
int ret;
if (strstr(name, "tpgt_") != name)
return ERR_PTR(-EINVAL);
- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
+ if (kstrtou16(name + 5, 10, &tpgt) || tpgt >= SBP_MAX_TARGET)
return ERR_PTR(-EINVAL);
if (tport->tpg) {
--
2.39.3 (Apple Git-145)
next reply other threads:[~2024-01-18 3:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-18 3:19 Fullway Wang [this message]
2024-02-05 22:02 ` [PATCH] target: sbp: integer overflow and potential memory corruption Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PH7PR20MB59258C767EF853A54273B3A7BF712@PH7PR20MB5925.namprd20.prod.outlook.com \
--to=fullwaywang@outlook.com \
--cc=bootc@bootc.net \
--cc=fullwaywang@tencent.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.