The discover_targets_done() function processes a response from the virtual FC adapter containing a num_written field that indicates how many targets were written to the discovery buffer. This value is assigned to vhost->num_targets without validation.
The discovery buffer is pre-allocated with a fixed size based on max_targets, but the virtual adapter could return num_written > max_targets. This causes an out-of-bounds read in ibmvfc_alloc_targets() which iterates vhost->num_targets times over the disc_buf array. Fix by clamping the value to the maximum buffer size. Reported-by: Yuhao Jiang <[email protected]> Reported-by: Junrui Luo <[email protected]> Fixes: 072b91f9c651 ("[SCSI] ibmvfc: IBM Power Virtual Fibre Channel Adapter Client Driver") Cc: [email protected] Signed-off-by: Junrui Luo <[email protected]> --- drivers/scsi/ibmvscsi/ibmvfc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c index 228daffb286d..f346dee4a0ac 100644 --- a/drivers/scsi/ibmvscsi/ibmvfc.c +++ b/drivers/scsi/ibmvscsi/ibmvfc.c @@ -4965,7 +4965,7 @@ static void ibmvfc_discover_targets_done(struct ibmvfc_event *evt) switch (mad_status) { case IBMVFC_MAD_SUCCESS: ibmvfc_dbg(vhost, "Discover Targets succeeded\n"); - vhost->num_targets = be32_to_cpu(rsp->num_written); + vhost->num_targets = min_t(u32, be32_to_cpu(rsp->num_written), max_targets); ibmvfc_set_host_action(vhost, IBMVFC_HOST_ACTION_ALLOC_TGTS); break; case IBMVFC_MAD_FAILED: --- base-commit: 62085877ae6592be830c2267e35dc469cb706308 change-id: 20260124-fixes-c31dc1e4e4cb Best regards, -- Junrui Luo <[email protected]>
