scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The bounds checking in scsi_bsg_uring_cmd() does not work because
cmd->request_len is a u32 and scmd->cmd_len is a u16. We check that
scmd->cmd_len is valid but if the cmd->request_len is more than
USHRT_MAX it would still lead to a buffer overflow when we do the
copy_from_user().

Fixes: 7b6d3255e7f8 ("scsi: bsg: add io_uring passthrough handler")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://patch.msgid.link/adjNnMYK7A7KMNkA@stanley.mountain
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Dan Carpenter and committed by

Jens Axboe 5 days ago 0a42ca4d 539fb773

+2 -2

1 changed file

expand all

drivers

scsi

scsi_bsg.c

+2 -2

drivers/scsi/scsi_bsg.c

··· 137 137 return PTR_ERR(req); 138 138 139 139 scmd = blk_mq_rq_to_pdu(req); 140 - scmd->cmd_len = cmd->request_len; 141 - if (scmd->cmd_len > sizeof(scmd->cmnd)) { 140 + if (cmd->request_len > sizeof(scmd->cmnd)) { 142 141 ret = -EINVAL; 143 142 goto out_free_req; 144 143 } 144 + scmd->cmd_len = cmd->request_len; 145 145 scmd->allowed = SG_DEFAULT_RETRIES; 146 146 147 147 if (copy_from_user(scmd->cmnd, uptr64(cmd->request), cmd->request_len)) {