lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 12 Jan 2020 13:22:00 -0500
From:   Konrad Rzeszutek Wilk <konrad@...nok.org>
To:     Lubomir Rintel <lkundrak@...sk>
Cc:     Konrad Rzeszutek Wilk <konrad@...nel.org>,
        Peter Jones <pjones@...hat.com>, linux-kernel@...r.kernel.org
Subject: Re: [RESEND PATCH] iscsi_ibft: Don't limits Targets and NICs to two

On Sat, Dec 21, 2019 at 08:09:56AM +0100, Lubomir Rintel wrote:
> According to iSCSI Boot Firmware Table Version 1.03 [1], the length of
> the control table is ">= 18", where the optional expansion structure
> pointer follow the mandatory ones. This allows for more than two NICs
> and Targets.
> 
> [1] ftp://ftp.software.ibm.com/systems/support/bladecenter/iscsi_boot_firmware_table_v1.03.pdf
> 
> Let's enforce the minimum length of the control structure instead
> instead of limiting it to the smallest allowed size.
> 
> Signed-off-by: Lubomir Rintel <lkundrak@...sk>

Put it in my tree and will send it up to Linus for the next merge
window.

Thanks!
> ---
>  drivers/firmware/iscsi_ibft.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/firmware/iscsi_ibft.c b/drivers/firmware/iscsi_ibft.c
> index 7e12cbdf957cc..96758b71a8db8 100644
> --- a/drivers/firmware/iscsi_ibft.c
> +++ b/drivers/firmware/iscsi_ibft.c
> @@ -104,6 +104,7 @@ struct ibft_control {
>  	u16 tgt0_off;
>  	u16 nic1_off;
>  	u16 tgt1_off;
> +	u16 expansion[0];
>  } __attribute__((__packed__));
>  
>  struct ibft_initiator {
> @@ -235,7 +236,7 @@ static int ibft_verify_hdr(char *t, struct ibft_hdr *hdr, int id, int length)
>  				"found %d instead!\n", t, id, hdr->id);
>  		return -ENODEV;
>  	}
> -	if (hdr->length != length) {
> +	if (length && hdr->length != length) {
>  		printk(KERN_ERR "iBFT error: We expected the %s " \
>  				"field header.length to have %d but " \
>  				"found %d instead!\n", t, length, hdr->length);
> @@ -749,16 +750,16 @@ static int __init ibft_register_kobjects(struct acpi_table_ibft *header)
>  	control = (void *)header + sizeof(*header);
>  	end = (void *)control + control->hdr.length;
>  	eot_offset = (void *)header + header->header.length - (void *)control;
> -	rc = ibft_verify_hdr("control", (struct ibft_hdr *)control, id_control,
> -			     sizeof(*control));
> +	rc = ibft_verify_hdr("control", (struct ibft_hdr *)control, id_control, 0);
>  
>  	/* iBFT table safety checking */
>  	rc |= ((control->hdr.index) ? -ENODEV : 0);
> +	rc |= ((control->hdr.length < sizeof(*control)) ? -ENODEV : 0);
>  	if (rc) {
>  		printk(KERN_ERR "iBFT error: Control header is invalid!\n");
>  		return rc;
>  	}
> -	for (ptr = &control->initiator_off; ptr < end; ptr += sizeof(u16)) {
> +	for (ptr = &control->initiator_off; ptr + sizeof(u16) <= end; ptr += sizeof(u16)) {
>  		offset = *(u16 *)ptr;
>  		if (offset && offset < header->header.length &&
>  						offset < eot_offset) {
> -- 
> 2.24.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ