Re: [PATCH 3/3] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()
Hi Olaf,
On Mon, Mar 29, 2021 at 06:37:21PM +0200, Olaf Hering wrote:
> On Thu, Dec 17, Andrea Parri (Microsoft) wrote:
>
> > Check that the packet is of the expected size at least, don't copy data
> > past the packet.
>
> > + if (hv_pkt_datalen(desc) < sizeof(struct vstor_packet) -
> > + stor_device->vmscsi_size_delta) {
> > + dev_err(>device, "Invalid packet len\n");
> > + continue;
> > + }
> > +
>
> Sorry for being late:
>
> It might be just cosmetic, but should this check be done prior the call to
> vmbus_request_addr()?
TBH, I'm not immediately seeing why it 'should'; it could make sense to move
the check on the packet data length.
> Unrelated: my copy of vmbus_request_addr() can return 0, which is apparently
> not handled by this loop in storvsc_on_channel_callback().
Indeed, IDs of 0 are reserved for so called unsolicited messages; I think we
should check that storvsc_on_io_completion() is not called on such messages.
Thanks,
Andrea
Re: [PATCH 3/3] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()
On Thu, Dec 17, Andrea Parri (Microsoft) wrote:
> Check that the packet is of the expected size at least, don't copy data
> past the packet.
> + if (hv_pkt_datalen(desc) < sizeof(struct vstor_packet) -
> + stor_device->vmscsi_size_delta) {
> + dev_err(>device, "Invalid packet len\n");
> + continue;
> + }
> +
Sorry for being late:
It might be just cosmetic, but should this check be done prior the call to
vmbus_request_addr()?
Unrelated: my copy of vmbus_request_addr() can return 0, which is apparently
not handled by this loop in storvsc_on_channel_callback().
Olaf
signature.asc
Description: PGP signature
RE: [PATCH 3/3] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()
From: Andrea Parri (Microsoft) Sent: Thursday,
December 17, 2020 12:33 PM
>
> Check that the packet is of the expected size at least, don't copy data
> past the packet.
>
> Reported-by: Saruhan Karademir
> Signed-off-by: Andrea Parri (Microsoft)
> Cc: "James E.J. Bottomley"
> Cc: "Martin K. Petersen"
> Cc: linux-s...@vger.kernel.org
> ---
> drivers/scsi/storvsc_drv.c | 6 ++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
> index 8714355cb63e7..4b8bde2750fac 100644
> --- a/drivers/scsi/storvsc_drv.c
> +++ b/drivers/scsi/storvsc_drv.c
> @@ -1250,6 +1250,12 @@ static void storvsc_on_channel_callback(void *context)
> request = (struct storvsc_cmd_request *)
> ((unsigned long)desc->trans_id);
>
> + if (hv_pkt_datalen(desc) < sizeof(struct vstor_packet) -
> + stor_device->vmscsi_size_delta) {
> + dev_err(>device, "Invalid packet len\n");
> + continue;
> + }
> +
> if (request == _device->init_request ||
> request == _device->reset_request) {
> memcpy(>vstor_packet, packet,
> --
> 2.25.1
Reviewed-by: Michael Kelley
RE: [PATCH 3/3] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()
> From: Andrea Parri (Microsoft) > Sent: Thursday, December 17, 2020 12:33 PM > > Check that the packet is of the expected size at least, don't copy data > past the packet. > > Reported-by: Saruhan Karademir > Signed-off-by: Andrea Parri (Microsoft) > Cc: "James E.J. Bottomley" > Cc: "Martin K. Petersen" > Cc: linux-s...@vger.kernel.org Reviewed-by: Dexuan Cui
