Re: [PATCH 1/1] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu
On 9/3/2014 8:00 AM, micha...@cs.wisc.edu wrote: From: Mike Christie micha...@cs.wisc.edu This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu. This function is used by iscsi drivers and userspace to send iscsi PDUs/ commands. For login commands, we have a set buffer size. For all other commands we do not support data buffers. This was reported by Dan Carpenter here: http://www.spinics.net/lists/linux-scsi/msg66838.html Reported-by: Dan Carpenter dan.carpen...@oracle.com Signed-off-by: Mike Christie micha...@cs.wisc.edu --- drivers/scsi/libiscsi.c | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index ea025e4..191b597 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -717,11 +717,21 @@ __iscsi_conn_send_pdu(struct iscsi_conn *conn, struct iscsi_hdr *hdr, return NULL; } + if (data_size ISCSI_DEF_MAX_RECV_SEG_LEN) { + iscsi_conn_printk(KERN_ERR, conn, Invalid buffer len of %u for login task. Max len is %u\n, data_size, ISCSI_DEF_MAX_RECV_SEG_LEN); + return NULL; + } + task = conn-login_task; } else { if (session-state != ISCSI_STATE_LOGGED_IN) return NULL; + if (data_size != 0) { + iscsi_conn_printk(KERN_ERR, conn, Can not send data buffer of len %u for op 0x%x\n, data_size, opcode); + return NULL; + } + BUG_ON(conn-c_stage == ISCSI_CONN_INITIAL_STAGE); BUG_ON(conn-c_stage == ISCSI_CONN_STOPPED); Looks good to me too, Reviewed-by: Sagi Grimberg sa...@mellanox.com -- To unsubscribe from this list: send the line unsubscribe linux-scsi in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/1] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu
From: Mike Christie micha...@cs.wisc.edu This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu. This function is used by iscsi drivers and userspace to send iscsi PDUs/ commands. For login commands, we have a set buffer size. For all other commands we do not support data buffers. This was reported by Dan Carpenter here: http://www.spinics.net/lists/linux-scsi/msg66838.html Reported-by: Dan Carpenter dan.carpen...@oracle.com Signed-off-by: Mike Christie micha...@cs.wisc.edu --- drivers/scsi/libiscsi.c | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index ea025e4..191b597 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -717,11 +717,21 @@ __iscsi_conn_send_pdu(struct iscsi_conn *conn, struct iscsi_hdr *hdr, return NULL; } + if (data_size ISCSI_DEF_MAX_RECV_SEG_LEN) { + iscsi_conn_printk(KERN_ERR, conn, Invalid buffer len of %u for login task. Max len is %u\n, data_size, ISCSI_DEF_MAX_RECV_SEG_LEN); + return NULL; + } + task = conn-login_task; } else { if (session-state != ISCSI_STATE_LOGGED_IN) return NULL; + if (data_size != 0) { + iscsi_conn_printk(KERN_ERR, conn, Can not send data buffer of len %u for op 0x%x\n, data_size, opcode); + return NULL; + } + BUG_ON(conn-c_stage == ISCSI_CONN_INITIAL_STAGE); BUG_ON(conn-c_stage == ISCSI_CONN_STOPPED); -- 1.7.1 -- To unsubscribe from this list: send the line unsubscribe linux-scsi in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: potential buffer overrun in __iscsi_conn_send_pdu()
I never heard back on this. It still looks like a very serious bug with security implications etc. regards, dan carpenter On Mon, Jun 24, 2013 at 06:46:31PM +0300, Dan Carpenter wrote: My static checker complains about a possible array overflow in __iscsi_conn_send_pdu(). drivers/scsi/libiscsi.c 743 if (data_size) { 744 memcpy(task-data, data, data_size); 745 task-data_count = data_size; 746 } else 747 task-data_count = 0; 748 data_size comes from skb-data and we haven't checked that it is less than ISCSI_DEF_MAX_RECV_SEG_LEN (8192). The call tree is: iscsi_if_recv_msg() iscsi_conn_send_pdu() __iscsi_conn_send_pdu() I'm a newbie to this code, so I'm not sure if this is a real bug or not. regards, dan carpenter -- To unsubscribe from this list: send the line unsubscribe linux-scsi in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: potential buffer overrun in __iscsi_conn_send_pdu()
On 9/1/14, 1:06 PM, Dan Carpenter wrote: I never heard back on this. It still looks like a very serious bug with security implications etc. Sorry about that. I must have missed the original. You are right. I should have a tested patch by tomorrow. regards, dan carpenter On Mon, Jun 24, 2013 at 06:46:31PM +0300, Dan Carpenter wrote: My static checker complains about a possible array overflow in __iscsi_conn_send_pdu(). drivers/scsi/libiscsi.c 743 if (data_size) { 744 memcpy(task-data, data, data_size); 745 task-data_count = data_size; 746 } else 747 task-data_count = 0; 748 data_size comes from skb-data and we haven't checked that it is less than ISCSI_DEF_MAX_RECV_SEG_LEN (8192). The call tree is: iscsi_if_recv_msg() iscsi_conn_send_pdu() __iscsi_conn_send_pdu() I'm a newbie to this code, so I'm not sure if this is a real bug or not. regards, dan carpenter -- To unsubscribe from this list: send the line unsubscribe linux-scsi in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
potential buffer overrun in __iscsi_conn_send_pdu()
My static checker complains about a possible array overflow in __iscsi_conn_send_pdu(). drivers/scsi/libiscsi.c 743 if (data_size) { 744 memcpy(task-data, data, data_size); 745 task-data_count = data_size; 746 } else 747 task-data_count = 0; 748 data_size comes from skb-data and we haven't checked that it is less than ISCSI_DEF_MAX_RECV_SEG_LEN (8192). The call tree is: iscsi_if_recv_msg() iscsi_conn_send_pdu() __iscsi_conn_send_pdu() I'm a newbie to this code, so I'm not sure if this is a real bug or not. regards, dan carpenter -- To unsubscribe from this list: send the line unsubscribe linux-scsi in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html