Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1979342pxb; Fri, 5 Mar 2021 04:39:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJz+EXvhobxf1CMEMbSo7xMCTjPKG4ho9mtl+i42rmT76zWMACXiZWuLWgxeG/ncdDtGI5lP X-Received: by 2002:a17:906:ad96:: with SMTP id la22mr2122818ejb.237.1614947981916; Fri, 05 Mar 2021 04:39:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614947981; cv=none; d=google.com; s=arc-20160816; b=QTbq+P9yS0A6DtMKkZwZm21eo7D75am7+kI4fYRQIDhnt5Tdpxc6jD5x75iRNAQVqM BEdGzD8HupYriUKc9nSOWcoLYTMwEZ5Zj9mYTJ59CdXsR3FoAu7t2d4dSWxdArY+fxbM R/dfmXwwGGerMPmd1hHX83D4fdEMHtIn7UL6cRa+lht9DMgfI7uRImqvh06lSlzyUIc+ CKaxIF8JxZ9otygwBfq7RI6kFHm66K4Pv983jflF162u7KsYGn97ddquuS7E618Vjn6e 6+3f86OJazJEExSv2uplFkXWoQELuQwr5hdZbVmPrDnrl6ffCBDIMYoFRKXLA63AQlU6 t+lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cf7jlaF7rj3e5cwcPUkd3xHYXshJIcP+Z3esTIzq01w=; b=HDMwktCyUZDlWGdPgch4iWSnPbC9aoyGQV2QicD1ov+WnXIuFk/rO82pe57oyH9hGn K/Y3sBwmUzHfpaQ85pw9e9w6UPnREsYm+mLjRi/M47lXGNQSONy/AbssVADMhSSonaTj 6qFnqxswSTmAB0d59QR/ZvevAnAnu1EBmdZV7TD1ZMq46Ypa+ZrWoBWc2L2g/sybwJG5 FYdpG9fNb+m6swpN0qOAxd1qaSi/XdldfS6RcTr1zUB554q2I7LgWz0M067HXmt7JtwZ BNgxncnZEn+wGuUOZZ8BWyL1joEwZ90z9+hSCyz4CYKprlGXPI/+qCUICKY5QCjjNO6F Yn3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KebAhTXv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m1si1297227ejq.592.2021.03.05.04.39.18; Fri, 05 Mar 2021 04:39:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KebAhTXv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232898AbhCEMgp (ORCPT + 99 others); Fri, 5 Mar 2021 07:36:45 -0500 Received: from mail.kernel.org ([198.145.29.99]:49134 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232099AbhCEMgO (ORCPT ); Fri, 5 Mar 2021 07:36:14 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id F413A65004; Fri, 5 Mar 2021 12:36:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614947774; bh=C/EpiGmj4j+cQ0yMiW1cIDjUXlqF74FufPz226SbnEs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KebAhTXvMaIsEBJ8zIwRLZ5kZ+Fzfy6KvUGcatyD0xyIK9BXhiyOAFTO3I6PSA4rp kfJb++iW9moMYSRIRxItKfv2UT4aGWSvqIR2yDbnLCqhlGZF9oqUlPED5/uaZ+BUmP 8Bh9c85/F5/aMqYQbfR9AXBxVSPi52CqZwLUNabA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Adam Nichols , Lee Duncan , Mike Christie , Chris Leech , "Martin K. Petersen" Subject: [PATCH 5.4 64/72] scsi: iscsi: Verify lengths on passthrough PDUs Date: Fri, 5 Mar 2021 13:22:06 +0100 Message-Id: <20210305120900.470891184@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210305120857.341630346@linuxfoundation.org> References: <20210305120857.341630346@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chris Leech commit f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5 upstream. Open-iSCSI sends passthrough PDUs over netlink, but the kernel should be verifying that the provided PDU header and data lengths fall within the netlink message to prevent accessing beyond that in memory. Cc: stable@vger.kernel.org Reported-by: Adam Nichols Reviewed-by: Lee Duncan Reviewed-by: Mike Christie Signed-off-by: Chris Leech Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/scsi_transport_iscsi.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/scsi/scsi_transport_iscsi.c +++ b/drivers/scsi/scsi_transport_iscsi.c @@ -3509,6 +3509,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, s { int err = 0; u32 portid; + u32 pdu_len; struct iscsi_uevent *ev = nlmsg_data(nlh); struct iscsi_transport *transport = NULL; struct iscsi_internal *priv; @@ -3626,6 +3627,14 @@ iscsi_if_recv_msg(struct sk_buff *skb, s err = -EINVAL; break; case ISCSI_UEVENT_SEND_PDU: + pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev); + + if ((ev->u.send_pdu.hdr_size > pdu_len) || + (ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) { + err = -EINVAL; + break; + } + conn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid); if (conn) ev->r.retcode = transport->send_pdu(conn,