Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1975260pxb;
        Fri, 5 Mar 2021 04:33:43 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxHshh/+kIsm6CZG+bNJaCM92nGHroFSlM/0Nf/E09I18bYNyAFgasrClA5xvFb6DQFpgTR
X-Received: by 2002:a17:906:3e92:: with SMTP id a18mr1938149ejj.95.1614947623013;
        Fri, 05 Mar 2021 04:33:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614947623; cv=none;
        d=google.com; s=arc-20160816;
        b=J+VKBf/aNrLxPrH2wTjoeKmiLChnA5QjksJpX2TPo136QG/2FMrRtFhtQIaZmVkul1
         OQoxZbtAIX8X996mzOMlFnMdYVdMCtxaCZgL9dgs73gW3awn3r4/R428e47Y0fhZ7hvJ
         1o4k2pqe3bpisPNRgoi5AIjo9u2+wBIQHwgO43ijJ6ZP5Y6AXWnDPx6A8I8wd33kTX6o
         KPCEPKlPNwSDHsIwI+gwIMa9twCXwjvtvbPfVbcsJDnRVD8xpCaseAQwmMku2wOH0vUd
         GYrEy4RaQ9O+lFC1WQvx4g10OxxX2vRl8fhON9BfMzdP/zLyz+ukYo2NWmSwqtYPapVn
         A+Zw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ZCxLkYoxf4Q+wQiIybUCsGncPOBh3b/mKaG/fJD/cp4=;
        b=ePXLaWDJ2ytZEqRCmtGE3q3OK5D4K7Btz/0sUf2xzdlVOONwSdv/89ClaQaRh4N2ky
         6zJhhf3+kH2Vtll+sVgcGNH3UnrmV26CiBHf/oAmKGakn6NR3rS6vy5anexoRujKObnv
         8XOFmexJ0RTcHN3h79WfXSuUig318zahF2ZCtO9jCak2gAOmsPlQCGB1onP7lx/nqQZT
         yqkQxxc5uBJEgYT76BgX1EO4cP/6LcsiavuUcDut6RuleET8STusfTtNXOX1uwRS/HiL
         eR7W+p3HcIEASXdEoiupohmV2Gtdn1V3vqrIvjYffJCIyxdEf2W9fAcwQ1SQhZWRD+Yq
         lG1w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CtJU1rG8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a9si1324775ejk.421.2021.03.05.04.33.19;
        Fri, 05 Mar 2021 04:33:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CtJU1rG8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231655AbhCEMc3 (ORCPT <rfc822;lvda1993@gmail.com> + 99 others);
        Fri, 5 Mar 2021 07:32:29 -0500
Received: from mail.kernel.org ([198.145.29.99]:41638 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S231784AbhCEMbh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 5 Mar 2021 07:31:37 -0500
Received: by mail.kernel.org (Postfix) with ESMTPSA id CE6B465029;
        Fri,  5 Mar 2021 12:31:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1614947496;
        bh=eAwaXMiEXyKxabvLrXknajWjXn6HfIAyhd9zxfYJk8w=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=CtJU1rG89pwnNTEPIRwLRYo9X20c7NjFsO/uyRFtQq2Do/1ui1EXq4cW8E3OttUDB
         oDyl4+oZTFtRUaWIYfprJBKi/Vku4DszARXLFfc0+kkvbdHu95BbZsOjWy7ub95KEx
         S/0aHi129HeAUc3YotUnPn7oFs+ixY4/mOM0hfmE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Adam Nichols <adam@grimm-co.com>,
        Lee Duncan <lduncan@suse.com>,
        Mike Christie <michael.christie@oracle.com>,
        Chris Leech <cleech@redhat.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 5.10 085/102] scsi: iscsi: Verify lengths on passthrough PDUs
Date:   Fri,  5 Mar 2021 13:21:44 +0100
Message-Id: <20210305120907.465593010@linuxfoundation.org>
X-Mailer: git-send-email 2.30.1
In-Reply-To: <20210305120903.276489876@linuxfoundation.org>
References: <20210305120903.276489876@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Chris Leech <cleech@redhat.com>

commit f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5 upstream.

Open-iSCSI sends passthrough PDUs over netlink, but the kernel should be
verifying that the provided PDU header and data lengths fall within the
netlink message to prevent accessing beyond that in memory.

Cc: stable@vger.kernel.org
Reported-by: Adam Nichols <adam@grimm-co.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/scsi_transport_iscsi.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3627,6 +3627,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, s
 {
 	int err = 0;
 	u32 portid;
+	u32 pdu_len;
 	struct iscsi_uevent *ev = nlmsg_data(nlh);
 	struct iscsi_transport *transport = NULL;
 	struct iscsi_internal *priv;
@@ -3769,6 +3770,14 @@ iscsi_if_recv_msg(struct sk_buff *skb, s
 			err = -EINVAL;
 		break;
 	case ISCSI_UEVENT_SEND_PDU:
+		pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev);
+
+		if ((ev->u.send_pdu.hdr_size > pdu_len) ||
+		    (ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) {
+			err = -EINVAL;
+			break;
+		}
+
 		conn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid);
 		if (conn) {
 			mutex_lock(&conn_mutex);