| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251201214329.933945-2-stefanha@redhat.com>
Date: Mon, 1 Dec 2025 16:43:26 -0500
From: Stefan Hajnoczi <stefanha@...hat.com>
To: linux-block@...r.kernel.org
Cc: Christoph Hellwig <hch@....de>,
linux-kernel@...r.kernel.org,
linux-scsi@...r.kernel.org,
"James E.J. Bottomley" <James.Bottomley@...senPartnership.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Keith Busch <kbusch@...nel.org>,
Jens Axboe <axboe@...nel.dk>,
Sagi Grimberg <sagi@...mberg.me>,
Mike Christie <michael.christie@...cle.com>,
Krzysztof Kozlowski <krzk@...nel.org>,
linux-nvme@...ts.infradead.org,
Stefan Hajnoczi <stefanha@...hat.com>
Subject: [PATCH v3 1/4] scsi: sd: reject invalid pr_read_keys() num_keys values
The pr_read_keys() interface has a u32 num_keys parameter. The SCSI
PERSISTENT RESERVE IN command has a maximum READ KEYS service action
size of 65536 bytes. Reject num_keys values that are too large to fit
into the SCSI command.
This will become important when pr_read_keys() is exposed to untrusted
userspace via an <linux/pr.h> ioctl.
Signed-off-by: Stefan Hajnoczi <stefanha@...hat.com>
---
drivers/scsi/sd.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 0252d3f6bed17..32ae4898cea7c 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1974,9 +1974,19 @@ static int sd_pr_read_keys(struct block_device *bdev, struct pr_keys *keys_info)
{
int result, i, data_offset, num_copy_keys;
u32 num_keys = keys_info->num_keys;
- int data_len = num_keys * 8 + 8;
+ int data_len;
u8 *data;
+ /*
+ * Each reservation key takes 8 bytes and there is an 8-byte header
+ * before the reservation key list. The total size must fit into the
+ * 16-bit ALLOCATION LENGTH field.
+ */
+ if (check_mul_overflow(num_keys, 8, &data_len) ||
+ check_add_overflow(data_len, 8, &data_len) ||
+ data_len > USHRT_MAX)
+ return -EINVAL;
+
data = kzalloc(data_len, GFP_KERNEL);
if (!data)
return -ENOMEM;
--
2.52.0
Powered by blists - more mailing lists