Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1980889pxb; Fri, 5 Mar 2021 04:42:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJznkdkd21fTFhjKe0Vwv5t7CxmrmvF09JB124z6DJ9baqZCPS5QlKt+QNeD1pdALzeN3Etg X-Received: by 2002:a17:907:7014:: with SMTP id wr20mr2100533ejb.179.1614948124781; Fri, 05 Mar 2021 04:42:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614948124; cv=none; d=google.com; s=arc-20160816; b=IbidY8+r+66hT18p4s+8Fb90OJ0fhjmLbhefOlERv3HD8UXMwUgXna5NFBagtJOkk5 RPNDwNHpjPaF25/sBLuf5GmtzaWsH/A5QzJotuepcRnVx3IQKthc8BNylFZgXdNafHVa EH00F9DAsXO/dHM7qbMDHQcWZjOnM90MoSt6q7K6tGggYgiEESdR1HPX8X7TgFG4qBpm t85tuGQh8qcRnG9ZCGWrzjXGxK7IKAIyMttLqLyQrUIoizvQIBVHpvr8Un88/07Q600e 1BqAbkm+OqyRWqYuN4PsHAddYGvusyCeXkhUDW24xQQ5Bx5oFh9CXqBhQNpv4CuKBbm1 Z16g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=yWf9GgaZOB5PPo++YD0/5ydLytrnE56hZ0AKwi16GuA=; b=twY3xRrPSWU9+1HsPBQkO4+Juh3Bij9DzKkF/iuNiSo3jOwThDGtVrI9VyhndglwlD kohtoioFos0XuhMaGNYGKyDg4ImTYVQ6l+/helUciN/MkayRz1ZlT98nm1Tv9mQ9AnWl 6a9z4OowpUDA/DV3rC/fwldRw32yQ+XBU/yDL6VxXdcsJms2srLsKxZASquMvctcWhoP 49wyluMiKUkK5AubpHoLBGMDhu6S2/jJg1FlGh7bzBa8U6t8aLPbGxJ2GcFjYJuypCeU ZZ+mRMOo9VkdoxrO/I2LfNrRyZqYjAR66eAt2sRWSJHK1vgVc8b4yHEZJsI6aoMp57r7 ZEcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=dmZK7xmQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 11si1582405edw.195.2021.03.05.04.41.41; Fri, 05 Mar 2021 04:42:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=dmZK7xmQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230435AbhCEMiu (ORCPT + 99 others); Fri, 5 Mar 2021 07:38:50 -0500 Received: from mail.kernel.org ([198.145.29.99]:51092 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232925AbhCEMh7 (ORCPT ); Fri, 5 Mar 2021 07:37:59 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 5421865004; Fri, 5 Mar 2021 12:37:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614947878; bh=ht9JQwpi9WbtDutU3j51nSmm4cxM+833p+SRf+3R/v4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dmZK7xmQvdDrFh4RuJmzxyEQmWn/2k1sMRADn0IrTzT2x3JCqupFEapj5yF74vGHp sAIpoGHph4BI+5UHY2QL2mp6gK2iygbbVpHM/5Ey6unNWK8nO/5UmF0vSDwJt+tZ25 f67zY8cfSYNiX5wSeQu0iTytz8rWmLF7rrbqijo0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Adam Nichols , Lee Duncan , Mike Christie , Chris Leech , "Martin K. Petersen" Subject: [PATCH 4.19 45/52] scsi: iscsi: Verify lengths on passthrough PDUs Date: Fri, 5 Mar 2021 13:22:16 +0100 Message-Id: <20210305120855.867402437@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210305120853.659441428@linuxfoundation.org> References: <20210305120853.659441428@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chris Leech commit f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5 upstream. Open-iSCSI sends passthrough PDUs over netlink, but the kernel should be verifying that the provided PDU header and data lengths fall within the netlink message to prevent accessing beyond that in memory. Cc: stable@vger.kernel.org Reported-by: Adam Nichols Reviewed-by: Lee Duncan Reviewed-by: Mike Christie Signed-off-by: Chris Leech Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/scsi_transport_iscsi.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/scsi/scsi_transport_iscsi.c +++ b/drivers/scsi/scsi_transport_iscsi.c @@ -3507,6 +3507,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, s { int err = 0; u32 portid; + u32 pdu_len; struct iscsi_uevent *ev = nlmsg_data(nlh); struct iscsi_transport *transport = NULL; struct iscsi_internal *priv; @@ -3624,6 +3625,14 @@ iscsi_if_recv_msg(struct sk_buff *skb, s err = -EINVAL; break; case ISCSI_UEVENT_SEND_PDU: + pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev); + + if ((ev->u.send_pdu.hdr_size > pdu_len) || + (ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) { + err = -EINVAL; + break; + } + conn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid); if (conn) ev->r.retcode = transport->send_pdu(conn,