tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg()

The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type of
"tpg->tport_tpgt" is u16. This causes a type truncation issue.

When a user creates a TPG via configfs mkdir, for example:

mkdir /sys/kernel/config/target/sbp/<wwn>/tpgt_70000

The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far less
than 4294967295. However, when assigned to the u16 field tpg->tport_tpgt,
the value is silently truncated to 4464 (70000 & 0xFFFF). This causes the
value the user specified to differ from what is actually stored, leading to
confusion and potential unexpected behavior.

Fix this by changing the type of "tpgt" to u16 and using kstrtou16() which
will properly reject values outside the u16 range.

Fixes: a511ce339780 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
Link: https://patch.msgid.link/20260121114515.1829-2-qikeyu2017@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

authored by Kery Qi and committed by Martin K. Petersen b2d6b1d4 4747bafa

+2 -2
unified split
+2 -2
drivers/target/sbp/sbp_target.c
··· 1960 container_of(wwn, struct sbp_tport, tport_wwn); 1961 1962 struct sbp_tpg *tpg; 1963 - unsigned long tpgt; 1964 int ret; 1965 1966 if (strstr(name, "tpgt_") != name) 1967 return ERR_PTR(-EINVAL); 1968 - if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) 1969 return ERR_PTR(-EINVAL); 1970 1971 if (tport->tpg) {
··· 1960 container_of(wwn, struct sbp_tport, tport_wwn); 1961 1962 struct sbp_tpg *tpg; 1963 + u16 tpgt; 1964 int ret; 1965 1966 if (strstr(name, "tpgt_") != name) 1967 return ERR_PTR(-EINVAL); 1968 + if (kstrtou16(name + 5, 10, &tpgt)) 1969 return ERR_PTR(-EINVAL); 1970 1971 if (tport->tpg) {