Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1931004pxu;
        Sun, 13 Dec 2020 07:59:02 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxPhlLeY8X7IkoRtYR/TveMSamsyeAX0YZ1tQJBJ5WTrnZCyQNixxvobZtMr6c1jFOhg/9H
X-Received: by 2002:a17:906:12d3:: with SMTP id l19mr18960271ejb.65.1607875141147;
        Sun, 13 Dec 2020 07:59:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1607875141; cv=none;
        d=google.com; s=arc-20160816;
        b=O4tu1Xlbh93mMo/HuI8XzZJOdpMholhn7seMJi7coF8SdqW7LC1ljXKz54ECWzDJ28
         YXiWp5RXn0gEfFSBnUXtt9JBZE27ApVrKB0vj8SbgWMsU1wOq0YNkFJEHN+d31aTrSxT
         LTP0v6A0lbiiJsIzZTLDE2sgbFvgc+sVvkNaBateWW4LSB3XJOY9bB9dwcorSBjSRyU3
         Cooo9iCIJBY1c/2GBBL83G8oNVxzvSBYxso4oSLrgKcgfIC+107m+YawJ5yX+8IyqcQk
         3PFpqKsz8unnE8JDlt9LSCpWszkmqY9Z76LwXX9/HMmg1zs2tVL0avAtjlcGjGjDYwMC
         Hw+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=IUzhncBd/OhvRLfK7yYCxyivE0dZy2kNH1YCtSTlh3A=;
        b=A5EwLK//BFAbXEtEWLeF/1EQ9+GsqAnz51eYVSlqElPxDk+71i/uj3/jo6GCdeAWHy
         jIZZuzVmu5ssZkC5qTtfCaAj6Gdm5/tjF8MhDdSWzDyrXxLghgFQcrdfalGB/xvuAau9
         WrWg+ywxEROyT7keWYzo85ZuUWSM5G1aNUizsbX9oct/CXn8MXI1l5SH2XyMFddACKNa
         SrUb104DyekSG/wlDMoI8XwmrCfGfHr1+Bf823cDREO72H4frK8n7/3wOJUOQ1z2UNNK
         D8M0Fx7VPME1Ayy/42ZVRnN2wUd0Wz2njUDk+C+Ys6PgHfs1HACU1eoYm0U/Mxo1IkT+
         zVIA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b6si10512258edu.567.2020.12.13.07.58.38;
        Sun, 13 Dec 2020 07:59:01 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2439539AbgLLQMD (ORCPT <rfc822;linuxbird7@gmail.com>
        + 99 others); Sat, 12 Dec 2020 11:12:03 -0500
Received: from mail.kernel.org ([198.145.29.99]:59454 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2439444AbgLLQKV (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 12 Dec 2020 11:10:21 -0500
From:   Sasha Levin <sashal@kernel.org>
Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format)
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     "Andrea Parri (Microsoft)" <parri.andrea@gmail.com>,
        "James E.J. Bottomley" <jejb@linux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org,
        Saruhan Karademir <skarade@microsoft.com>,
        Sasha Levin <sashal@kernel.org>, devel@linuxdriverproject.org
Subject: [PATCH AUTOSEL 5.9 15/23] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()
Date:   Sat, 12 Dec 2020 11:07:56 -0500
Message-Id: <20201212160804.2334982-15-sashal@kernel.org>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20201212160804.2334982-1-sashal@kernel.org>
References: <20201212160804.2334982-1-sashal@kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: "Andrea Parri (Microsoft)" <parri.andrea@gmail.com>

[ Upstream commit 3b8c72d076c42bf27284cda7b2b2b522810686f8 ]

Check that the packet is of the expected size at least, don't copy data
past the packet.

Link: https://lore.kernel.org/r/20201118145348.109879-1-parri.andrea@gmail.com
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org
Reported-by: Saruhan Karademir <skarade@microsoft.com>
Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/storvsc_drv.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 8f5f5dc863a4a..6779ee4edfee3 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1246,6 +1246,11 @@ static void storvsc_on_channel_callback(void *context)
 		request = (struct storvsc_cmd_request *)
 			((unsigned long)desc->trans_id);
 
+		if (hv_pkt_datalen(desc) < sizeof(struct vstor_packet) - vmscsi_size_delta) {
+			dev_err(&device->device, "Invalid packet len\n");
+			continue;
+		}
+
 		if (request == &stor_device->init_request ||
 		    request == &stor_device->reset_request) {
 			memcpy(&request->vstor_packet, packet,
-- 
2.27.0