Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp31881pxb; Fri, 15 Jan 2021 05:10:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJz9UYVp/wunrQoNTLrEh61GZ+BhG52ZYHbRu/5KLoEnncWpZUlIEZRPJ5RJ5Lw90tPWrJN4 X-Received: by 2002:aa7:cb42:: with SMTP id w2mr9728275edt.21.1610716208379; Fri, 15 Jan 2021 05:10:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610716208; cv=none; d=google.com; s=arc-20160816; b=ItAvbUUuVGMuD87q+Eaak7r70iJ/XCYvSMHKVsyKrAFllEgZHACqV3HQ8vJMS3f53k pUW4DZgXK7HVEgbOOGdOiVBdwwyQeuMiAGMliwzVxzOxJl0IgWwAkldvfFZmu8Tujxa3 VdA2DvS4sx07X7b3yqLjLF2WV08NtpLLYYzDSAFG45WohEkQqWjYedQJUlh17EiVl+D8 caFDVo3PNYWYRkz+R349uVRKlNKW5Vc+BrUDYO3GgwSXBOtubNcGLSuKkbqPYTnOiKbY jjSevYbSgRXYdxhwN6DZfkyyxs55K+tWP7F9TvsIEi5oZbZyASkvyJnq/eDJz4YfLOcZ FB6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pkwx977hIHgTYSlQLmxxNK5qQdwU7DQQWn724ndmf8E=; b=FJ43NNxnjaEV8+BOxQvbznYJb7GWymsNBHIssk117mUJAoF7L91exk0DNqnpF289ti 0h6gPWIVysFduPwDxmD8VJSCGlAi0G3ndpopVzGcxG/5PSlu6GPL3YqvJpNDccb2DpRC 0r1lQjoseE+JhKZK5n25iELDwzUFevE58+BLbPysk8aL+uPXviuEV33NOCn3HDmxWPMf mJsIQsE4VNuKPwyZEMTOR3Id2kQ8ICVdoZBHx8GLQxsshG+dY9DOoL4jyIjNagO6qiZo /EqcTbc0YRaZ8CACE3VnpUnpHadF7Mzloab4nnL+hQptsLBvize9XVbPu94TtoOXAvWn HmJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oB2nQUmv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bt22si3627680ejb.107.2021.01.15.05.09.44; Fri, 15 Jan 2021 05:10:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oB2nQUmv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732816AbhAONIg (ORCPT + 99 others); Fri, 15 Jan 2021 08:08:36 -0500 Received: from mail.kernel.org ([198.145.29.99]:36414 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732001AbhAOMao (ORCPT ); Fri, 15 Jan 2021 07:30:44 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 655EA23359; Fri, 15 Jan 2021 12:29:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1610713779; bh=XKgiajTu+HVz3vlQtjB2OADN1vzKXJqxGgK3oPODjTE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oB2nQUmvWQ+kMKtB0kF3llZJncAFjuLUjsexlwlXUPkuCk6DMtef+KfgsvW8I3DJM ntXIbbGVZ1mU1wSzyyd2zKuGempD04mZzA4dDc5I8utSW6wvJ9R1M6VXT/yXmjBzcQ jx4zdiw14s0SrwUAw0doTF+CZt49Nx9K+iTCe5fs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Disseldorp , Christoph Hellwig , Bart Van Assche , Sasha Levin Subject: [PATCH 4.4 02/18] target: bounds check XCOPY segment descriptor list Date: Fri, 15 Jan 2021 13:27:30 +0100 Message-Id: <20210115121955.231591863@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210115121955.112329537@linuxfoundation.org> References: <20210115121955.112329537@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Disseldorp [ Upstream commit af9f62c1686268c0517b289274d38f3a03bebd2a ] Check the length of the XCOPY request segment descriptor list against the value advertised via the MAXIMUM SEGMENT DESCRIPTOR COUNT field in the RECEIVE COPY OPERATING PARAMETERS response. spc4r37 6.4.3.5 states: If the number of segment descriptors exceeds the allowed number, the copy manager shall terminate the command with CHECK CONDITION status, with the sense key set to ILLEGAL REQUEST, and the additional sense code set to TOO MANY SEGMENT DESCRIPTORS. This functionality is testable using the libiscsi ExtendedCopy.DescrLimits test. Signed-off-by: David Disseldorp Reviewed-by: Christoph Hellwig Signed-off-by: Bart Van Assche Signed-off-by: Sasha Levin --- drivers/target/target_core_xcopy.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c index 6415e9b09a529..cd71957c7075f 100644 --- a/drivers/target/target_core_xcopy.c +++ b/drivers/target/target_core_xcopy.c @@ -305,17 +305,26 @@ static int target_xcopy_parse_segdesc_02(struct se_cmd *se_cmd, struct xcopy_op static int target_xcopy_parse_segment_descriptors(struct se_cmd *se_cmd, struct xcopy_op *xop, unsigned char *p, - unsigned int sdll) + unsigned int sdll, sense_reason_t *sense_ret) { unsigned char *desc = p; unsigned int start = 0; int offset = sdll % XCOPY_SEGMENT_DESC_LEN, rc, ret = 0; + *sense_ret = TCM_INVALID_PARAMETER_LIST; + if (offset != 0) { pr_err("XCOPY segment descriptor list length is not" " multiple of %d\n", XCOPY_SEGMENT_DESC_LEN); return -EINVAL; } + if (sdll > RCR_OP_MAX_SG_DESC_COUNT * XCOPY_SEGMENT_DESC_LEN) { + pr_err("XCOPY supports %u segment descriptor(s), sdll: %u too" + " large..\n", RCR_OP_MAX_SG_DESC_COUNT, sdll); + /* spc4r37 6.4.3.5 SEGMENT DESCRIPTOR LIST LENGTH field */ + *sense_ret = TCM_TOO_MANY_SEGMENT_DESCS; + return -EINVAL; + } while (start < sdll) { /* @@ -913,7 +922,8 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd) seg_desc = &p[16]; seg_desc += (rc * XCOPY_TARGET_DESC_LEN); - rc = target_xcopy_parse_segment_descriptors(se_cmd, xop, seg_desc, sdll); + rc = target_xcopy_parse_segment_descriptors(se_cmd, xop, seg_desc, + sdll, &ret); if (rc <= 0) { xcopy_pt_undepend_remotedev(xop); goto out; -- 2.27.0