| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260121114515.1829-2-qikeyu2017@gmail.com>
Date: Wed, 21 Jan 2026 19:45:15 +0800
From: Kery Qi <qikeyu2017@...il.com>
To: bootc@...tc.net,
martin.petersen@...cle.com
Cc: nab@...ux-iscsi.org,
stefanr@...6.in-berlin.de,
linux-scsi@...r.kernel.org,
target-devel@...r.kernel.org,
linux1394-devel@...ts.sourceforge.net,
linux-kernel@...r.kernel.org,
Kery Qi <qikeyu2017@...il.com>
Subject: [PATCH] firewire: sbp-target: fix integer type overflow in sbp_make_tpg()
The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type
of "tpg->tport_tpgt" is u16. This causes a type truncation issue.
When a user creates a TPG via configfs mkdir, for example:
mkdir /sys/kernel/config/target/sbp/<wwn>/tpgt_70000
The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far
less than 4294967295. However, when assigned to the u16 field
tpg->tport_tpgt, the value is silently truncated to 4464 (70000 &
0xFFFF). This causes the value the user specified to differ from what
is actually stored, leading to confusion and potential unexpected
behavior.
Fix this by changing the type of "tpgt" to u16 and using kstrtou16()
which will properly reject values outside the u16 range.
Fixes: a511ce3397803 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support")
Signed-off-by: Kery Qi <qikeyu2017@...il.com>
---
drivers/target/sbp/sbp_target.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c
index 9f167ff8da7b..09120a538a40 100644
--- a/drivers/target/sbp/sbp_target.c
+++ b/drivers/target/sbp/sbp_target.c
@@ -1960,12 +1960,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn,
container_of(wwn, struct sbp_tport, tport_wwn);
struct sbp_tpg *tpg;
- unsigned long tpgt;
+ u16 tpgt;
int ret;
if (strstr(name, "tpgt_") != name)
return ERR_PTR(-EINVAL);
- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
+ if (kstrtou16(name + 5, 10, &tpgt))
return ERR_PTR(-EINVAL);
if (tport->tpg) {
--
2.34.1
Powered by blists - more mailing lists