| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID:
<SYBPR01MB7881AC42D03DB777C4784520AF95A@SYBPR01MB7881.ausprd01.prod.outlook.com>
Date: Sat, 24 Jan 2026 23:23:10 +0800
From: Junrui Luo <moonafterrain@...look.com>
To: Tyrel Datwyler <tyreld@...ux.ibm.com>,
Madhavan Srinivasan <maddy@...ux.ibm.com>,
Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>,
"Christophe Leroy (CS GROUP)" <chleroy@...nel.org>,
"James E.J. Bottomley" <James.Bottomley@...senPartnership.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Brian King <brking@...ux.vnet.ibm.com>
Cc: linux-scsi@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
linux-kernel@...r.kernel.org, Yuhao Jiang <danisjiang@...il.com>,
Junrui Luo <moonafterrain@...look.com>, stable@...r.kernel.org
Subject: [PATCH] scsi: ibmvfc: fix out-of-bounds read in discover_targets
The discover_targets_done() function processes a response from the
virtual FC adapter containing a num_written field that indicates how
many targets were written to the discovery buffer. This value is
assigned to vhost->num_targets without validation.
The discovery buffer is pre-allocated with a fixed size based on
max_targets, but the virtual adapter could return
num_written > max_targets. This causes an out-of-bounds read in
ibmvfc_alloc_targets() which iterates vhost->num_targets times over
the disc_buf array.
Fix by clamping the value to the maximum buffer size.
Reported-by: Yuhao Jiang <danisjiang@...il.com>
Reported-by: Junrui Luo <moonafterrain@...look.com>
Fixes: 072b91f9c651 ("[SCSI] ibmvfc: IBM Power Virtual Fibre Channel Adapter Client Driver")
Cc: stable@...r.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@...look.com>
---
drivers/scsi/ibmvscsi/ibmvfc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
index 228daffb286d..f346dee4a0ac 100644
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -4965,7 +4965,7 @@ static void ibmvfc_discover_targets_done(struct ibmvfc_event *evt)
switch (mad_status) {
case IBMVFC_MAD_SUCCESS:
ibmvfc_dbg(vhost, "Discover Targets succeeded\n");
- vhost->num_targets = be32_to_cpu(rsp->num_written);
+ vhost->num_targets = min_t(u32, be32_to_cpu(rsp->num_written), max_targets);
ibmvfc_set_host_action(vhost, IBMVFC_HOST_ACTION_ALLOC_TGTS);
break;
case IBMVFC_MAD_FAILED:
---
base-commit: 62085877ae6592be830c2267e35dc469cb706308
change-id: 20260124-fixes-c31dc1e4e4cb
Best regards,
--
Junrui Luo <moonafterrain@...look.com>
Powered by blists - more mailing lists