Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp4705594pxv; Tue, 27 Jul 2021 14:18:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzH9sUvSwXapm+rDhczgwTAku9Jb363qDeLLd8AQvrjlq+Gpmjk+Brwn5uWn5uR7cqmjcrb X-Received: by 2002:a17:906:c2d7:: with SMTP id ch23mr5577955ejb.298.1627420721952; Tue, 27 Jul 2021 14:18:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627420721; cv=none; d=google.com; s=arc-20160816; b=dFh7IGrJiwGu0y4oj7+Q2fdI3s0z3cGOsTvUB9kfl+JZtrCg0Rkfe50w/XWEQyfZ70 uIo16pwHLqXbbqYTv7rISHE8XPp+9a+wo+pvT3u8viFGPTzKpd9Qxw/IfUsonp5b8KCG af165S37KKY1TVRNT17J0lta65W8bqWhLgWatT33EyN2Xn4HRF+slo6rK5nrSlsrGKOQ mfzSHP+fGRsGb4mQPRAv7Gk4PPqCXyK3WiHUP/tb9jqVG+o4zFwf3PZf7supoAIXTZou nFAofxzNYB1lB1v+0r0xxfOqJHxNINSnbLsCiIT1MBLdi1KetxhdkKVZHrYcU0op+mvZ jMNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=QuYl5+rTP/+R/3rDjAm0Jnl1lTT65zBH39RH5WLEAR0=; b=deClDYWKJyBD0ley3FfLAFShhM07jSWlkwvld6jZq0qlVHYZFytVIEJn7uC6Mo0Iwv nNxA4zl9fsLkA3GIyBdkJT1lUnS/a/7D4pW7POJNPipuXRao4YJby+OF0e3HJrvAsS1S bcYDAE+v9ja5zY8695LFlvGrvxjKjaSMwfxS0z730QtCcp//CA4xLwdp02+yD807wsmv EZI9w4tUSD/MtZbbMhuIRyirUCSfTAz6EvAXvBrDKhKzMUFZsBJmWUgJQ+w5V1MMyD1W oJdZYPJ8LIyqW+Phs0sGNKLhtG0zuQ9BJWasBXB06XifWsS8ps40DTVlVBPnKoswAYtm gGQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=bRfqHarn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o8si4371832ejj.94.2021.07.27.14.18.18; Tue, 27 Jul 2021 14:18:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=bRfqHarn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233074AbhG0VQz (ORCPT + 99 others); Tue, 27 Jul 2021 17:16:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58278 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231135AbhG0VQx (ORCPT ); Tue, 27 Jul 2021 17:16:53 -0400 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8C94C061760 for ; Tue, 27 Jul 2021 14:16:52 -0700 (PDT) Received: by mail-pl1-x630.google.com with SMTP id e21so58924pla.5 for ; Tue, 27 Jul 2021 14:16:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=QuYl5+rTP/+R/3rDjAm0Jnl1lTT65zBH39RH5WLEAR0=; b=bRfqHarnmPtbXc99uxZdsY9MdvKd7uoSqaqt1wLCu/SnB5hUsRQWrev8b/IdeSWVBf zS4Zn6K2vFy+movGd0fhaQNE+NIQdFZmFCDXR3gze9QBxEp0uVz4CDxUCOwITpRdomYG 6sypVj5k4QzD9dhhAk7Jvl/jrcTzj2mToflF0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QuYl5+rTP/+R/3rDjAm0Jnl1lTT65zBH39RH5WLEAR0=; b=TMqd9ZNTN3HGIJaxYK8Tb5rKLVPwQPmToM2In3+IyYGUUJBWuIT1AKg2lTbg3REzeu 6a4SfWZgdeFdT7T8IJnPsSG5E3AZCHEl06M8+3666d2XCd5gVRvPlbl8GDMUL8Do6VjG wtW3GAYSgtMPgwkXUKC9ZcsH1ln/pGcxsLBqH2bn+ZrZu1PobpXPYjrlLyblW0iMp8Ki c1kbiP4hMJWtOYNIy6+eVmZZevlPt5GHYjzYNFFgydI7fmDXzgvUxDRWPptkgtDoZqVY gs7WwVKlchJAPA4ZooMBPJXvHcwZ9tlql3ME6vzE4G+LZOdh3gsDHIiOZ9kHZ8ccTH/l f85w== X-Gm-Message-State: AOAM530gVCBhWTlgjbHdCZWsHxl60O/M4OpWEVbD/H0DI0MJuUALw7ll RMnpHNvbhZviKtJhxHVWewPhgA== X-Received: by 2002:a63:134e:: with SMTP id 14mr25120786pgt.312.1627420612398; Tue, 27 Jul 2021 14:16:52 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y9sm5034698pgr.10.2021.07.27.14.16.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jul 2021 14:16:50 -0700 (PDT) From: Kees Cook To: linux-hardening@vger.kernel.org Cc: Kees Cook , "Gustavo A. R. Silva" , Keith Packard , Greg Kroah-Hartman , Andrew Morton , linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-staging@lists.linux.dev, linux-block@vger.kernel.org, linux-kbuild@vger.kernel.org, clang-built-linux@googlegroups.com Subject: [PATCH 36/64] scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp Date: Tue, 27 Jul 2021 13:58:27 -0700 Message-Id: <20210727205855.411487-37-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210727205855.411487-1-keescook@chromium.org> References: <20210727205855.411487-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1097; h=from:subject; bh=Nq1NUVDlF5HB2sL3wLI4PgmWfjw6IdyQL7mY1ITGnck=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhAHOI21reOQg8BrkfHddEuElFGDIapR2heYw3xo22 cpdsHDuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYQBziAAKCRCJcvTf3G3AJvhsD/ 9f+BKlmaFnyRZQcn1rlNDY2vh+rNTRxOLWqPkDfUPDZZ97wHv4DBEpdLaXiuhCZf608S+816myOXX+ nT5UFOcdgLS8KSNQsCYAiZ8y6i6Tg4+eSRQunUnuVzVL3O98L0xqB46WaeeYx70RA6j5DnKbLOchNN AjaSeeQx0pnsg9cSycqn8lvZyqETRhU90TKbfnJtqIX4NEONgrTzdm8ZKbhe4RYUabvOxhjbiw7+j9 yYitnuR8to7ti1pifqARyJJrmpvyFicfspMm+frwRLM1W6LA/s7nG8iAQ5sTn/uzoB9cCj+SweTPkR m+AsViv0F1qTlCBahXchUqn2qo8JD0BZvitJ3EW1JR1OuFzTXkm4GT0+sh7Nv+hcTpQyriLzuTKuzz 4K32VkFr/Ngh4JofcvGrq47NeW+rPy+OefZwviXvKsNZmypkxuWROPihUMZHdjHbE7DCVwLoKFC64l rmccyM+XL5CwKYV01CmnjIZnKBVjuCh5PKcGpt7afr5ogG6tc2TUnvcY8lifwBGzsgS0nVOPT47wjG me8YQ4+eL1qJGzSl6NZ2krfvFMNxWRLa1UuLhO6PDmXxr8+1VYVWWQltkkcbKYEWarHuOvOxN+DOaB KeSbdbqc2xxk6w2cz+t6Eez7On01QP+vgWhE9arlnKCLSEH75mw7tmX/ZlrA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Instead of writing beyond the end of evt_struct->iu.srp.cmd, target the upper union (evt_struct->iu.srp) instead, as that's what is being wiped. Signed-off-by: Kees Cook --- drivers/scsi/ibmvscsi/ibmvscsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c index e6a3eaaa57d9..7e8beb42d2d3 100644 --- a/drivers/scsi/ibmvscsi/ibmvscsi.c +++ b/drivers/scsi/ibmvscsi/ibmvscsi.c @@ -1055,8 +1055,8 @@ static int ibmvscsi_queuecommand_lck(struct scsi_cmnd *cmnd, return SCSI_MLQUEUE_HOST_BUSY; /* Set up the actual SRP IU */ + memset(&evt_struct->iu.srp, 0x00, SRP_MAX_IU_LEN); srp_cmd = &evt_struct->iu.srp.cmd; - memset(srp_cmd, 0x00, SRP_MAX_IU_LEN); srp_cmd->opcode = SRP_CMD; memcpy(srp_cmd->cdb, cmnd->cmnd, sizeof(srp_cmd->cdb)); int_to_scsilun(lun, &srp_cmd->lun); -- 2.30.2