Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp4507379pxb; Tue, 5 Oct 2021 04:44:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz/B3gIqpHXTpuS/kXI4TRJVMOQDP4Zc3t9752dB4HAF6e4qOHj9oVtUSv8jxBcOt0P3hzt X-Received: by 2002:a17:906:498b:: with SMTP id p11mr23257635eju.295.1633434243646; Tue, 05 Oct 2021 04:44:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633434243; cv=none; d=google.com; s=arc-20160816; b=osi5ljSuDJ2oaA4ibuBhWRntqbSzist3gnpaS6wpy8PrWiL9Na2t0FyeYduafVFRaT M4/FCIXXTC2sNytXGUN32dHIoQEytdrNjhG6yDgOR5RAUwi/lW1oXXFRTLPk0hDDC8d7 zdcldr0CzW4XaLIhBTC82/BebkXFZfufvqSNhjZXW5hHMs5ZDxO39fJ05B+LOU3KSgy+ 7zayXHHf+er6htIhHQozkdoKuOHdawOm2NPqhL7qNsoLTibqaAUZlZT0dkfSlRk7fSnI 3374AETjyFboPnubMRiC+19yrTv74BAdke/iCx6/aY/dw/I5JRuCq+hTcjv9/A62czen YDQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=5dP0dp6S1K23nYcgVnLdQY9FQ0JJKDn9S4Adpna91Wk=; b=HlZSdrHUSjC/uZo9u2XrggNHGf+oA7DqaBSzja7WiLGgXPYubyfIuW4YC0SwmO+giI cwR+3QvnQbUseatOt0gcQq7HbJR353G23Cjj2+OCRThJiasNgRDt0ocN7skyGvMIZOhn HdyCtWS85FJKUM61mxyHwdunlo/ED1O0AXlOVut8ed6c4SVwGU1b7rG1YJQdyPEmjoC5 p6nvmm1XldV41IwMMoWIMJmQxaj4QU+4e0ykrGYPuflUM7/fCxg3e0oslJGcpkhcXQNf OgtsxvyfDglcVe/nh5tMOhUJ+v1OXPd2kVdEOJivnDrr5sWXm0bNf83TvGJfTh+ju43r mvqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=WuwAODlV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qw38si26956597ejc.293.2021.10.05.04.43.38; Tue, 05 Oct 2021 04:44:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=WuwAODlV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234437AbhJELnG (ORCPT + 99 others); Tue, 5 Oct 2021 07:43:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234385AbhJELnF (ORCPT ); Tue, 5 Oct 2021 07:43:05 -0400 Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 12658C061749; Tue, 5 Oct 2021 04:41:15 -0700 (PDT) Received: by mail-ed1-x532.google.com with SMTP id v18so76164030edc.11; Tue, 05 Oct 2021 04:41:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=5dP0dp6S1K23nYcgVnLdQY9FQ0JJKDn9S4Adpna91Wk=; b=WuwAODlVsQO/YxDLaxPa+fWnErWGZeTG+jj5QbR2XlvUba/OpSvWuhqVBT9LviGd0i 5KR6JqxQMRvLMTgsPLJ2EEZK05TeiX6cy99IZG4ZIp/iMJwmg/2pSsqgGBsknUMQYHLc h8IsQEMpgK+GLg+bYkbgvMWt9twc1AOTiYO3GDIIoRhWxNCGs87/+kMXaFMzWxCubb78 2OOqw38URj+MPn4B491mDXCuYdmqx6RWlZFlr008vFw8jZU2CjY6SVl7Ix7WSeAKTNZ7 mkFLM/GFfR6A4ODMRH6i7EWE/jYxfbkiP3kCqtHIeX9NOz5DR4ESv43cesKAC89xH4Za oI+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=5dP0dp6S1K23nYcgVnLdQY9FQ0JJKDn9S4Adpna91Wk=; b=ly5/zS0I/XeNuSlSBZbItPZuHWSt+PKfhyJIwPOs3UW91wm5rdZhoeNmCXya4F5/UL p+k2Q1yqW4jAbFzE035jWjOkBK0gVwAMD2wGy+SRveicQEnuimp1tlRPkmyV7iEJa94o 2I3AB9JkHpRbiiH6Xks6GCUHzvDqns2K0uQ2aXmH2T1xCUhJq8ZFh2oaYZwiSi24AmFe WcTRjQ1KkGH6ftm7rVH04FkVCscK48c4OzP0Q1rqBQUOnsH1YCy+QIGVHUt3IZAA42zl SyuBuuQa3zeY02F5sPV7cqiYAkdg19mCZVOdWR3V/HkTQpv+piAOjmNP8hc1MR6kyu8E 2yzQ== X-Gm-Message-State: AOAM531HuPkYN9IAbLWx6ywp/szqOyeUL4W0o+LoB8tYrLuF0pkr6BJH j0KUD+Tt2zqNm/cbB71JkuCdUQpKuKTDskv/ X-Received: by 2002:aa7:ccd8:: with SMTP id y24mr15268314edt.358.1633434073274; Tue, 05 Oct 2021 04:41:13 -0700 (PDT) Received: from anparri.mshome.net (host-79-49-65-228.retail.telecomitalia.it. [79.49.65.228]) by smtp.gmail.com with ESMTPSA id l19sm2437168edb.65.2021.10.05.04.41.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Oct 2021 04:41:12 -0700 (PDT) From: "Andrea Parri (Microsoft)" To: linux-kernel@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-scsi@vger.kernel.org Cc: "K . Y . Srinivasan" , Haiyang Zhang , Stephen Hemminger , Wei Liu , "James E . J . Bottomley" , "Martin K . Petersen" , Michael Kelley , "Andrea Parri (Microsoft)" , Dexuan Cui Subject: [PATCH] scsi: storvsc: Fix validation for unsolicited incoming packets Date: Tue, 5 Oct 2021 13:41:03 +0200 Message-Id: <20211005114103.3411-1-parri.andrea@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The validation on the length of incoming packets performed in storvsc_on_channel_callback() does not apply to unsolicited packets with ID of 0 sent by Hyper-V. Adjust the validation for such unsolicited packets. Fixes: 91b1b640b834b2 ("scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()") Reported-by: Dexuan Cui Signed-off-by: Andrea Parri (Microsoft) Reviewed-by: Haiyang Zhang --- Changes since RFC[1]: - Merge length checks (Haiyang Zhang) [1] https://lkml.kernel.org/r/20210928163732.5908-1-parri.andrea@gmail.com drivers/scsi/storvsc_drv.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c index ebbbc1299c625..349c1071a98d4 100644 --- a/drivers/scsi/storvsc_drv.c +++ b/drivers/scsi/storvsc_drv.c @@ -292,6 +292,9 @@ struct vmstorage_protocol_version { #define STORAGE_CHANNEL_REMOVABLE_FLAG 0x1 #define STORAGE_CHANNEL_EMULATED_IDE_FLAG 0x2 +/* Lower bound on the size of unsolicited packets with ID of 0 */ +#define VSTOR_MIN_UNSOL_PKT_SIZE 48 + struct vstor_packet { /* Requested operation type */ enum vstor_packet_operation operation; @@ -1285,11 +1288,15 @@ static void storvsc_on_channel_callback(void *context) foreach_vmbus_pkt(desc, channel) { struct vstor_packet *packet = hv_pkt_data(desc); struct storvsc_cmd_request *request = NULL; + u32 pktlen = hv_pkt_datalen(desc); u64 rqst_id = desc->trans_id; + u32 minlen = rqst_id ? sizeof(struct vstor_packet) - + stor_device->vmscsi_size_delta : VSTOR_MIN_UNSOL_PKT_SIZE; - if (hv_pkt_datalen(desc) < sizeof(struct vstor_packet) - - stor_device->vmscsi_size_delta) { - dev_err(&device->device, "Invalid packet len\n"); + if (pktlen < minlen) { + dev_err(&device->device, + "Invalid pkt: id=%llu, len=%u, minlen=%u\n", + rqst_id, pktlen, minlen); continue; } -- 2.25.1