Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp659565pxb; Wed, 3 Nov 2021 10:11:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxKTy+TYOjn7CSpdHR2beOhLnTraK2TVSdS8icvNNxOcuZOXwyH3SlaelGb6OA/uz6T/6Bk X-Received: by 2002:a05:6e02:1c01:: with SMTP id l1mr10677431ilh.85.1635959507628; Wed, 03 Nov 2021 10:11:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635959507; cv=none; d=google.com; s=arc-20160816; b=TeuRU7vkL3X9K6TKSBZYMHfaPkiGkQ8Wgwz+2Vl2WJ1BMpF08NvUpkQmF96l3wzYoh IzZdwc+FopTeI0z1J+cyq0sia/NqAA+wJh3kPXZhMWKGCqr+0h7m9L0pMUZxI/3wr6r0 +osRcqTF3ppehN0g5MQxvHLKK+dv2lV6ZWkKvf+Og+3+mcPvgHvOh0F1FHRuRWsEIl/Y 02+uhlUIQXN91Tixlva6W3IJSpL48UXXrdzYJz+hFtNAbnlSpAJzvpS+qZ1AYnVRoTpv SF7I771pkSPN75OQmVym54cAIAZdqJE7hmuSWXZXEMv3XL5kWaECeB50gYfZZz+s6qLP 2ZLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=zVXszMTfAYwfwo8U8Wf2Z9WNl2fxzhxZAv+znJV6Jcc=; b=p1dT/HTYFohA77zseTGo41I0m+bNc4xtsf68s5sGJ6B54rHLlAGdDQf8Fiqd201BkJ xKft2D7FxC+hQWE7pCPBY0PDl+e2tIzkXGlBv7LfJBzwAhzWBZURZmCCq2XRjH3gKPGw AAF3RMvO+4tKWLBur/X7JISxnvEH6+HlbcXAndvs0d2rh1x0kTxdAjtZIVMyph5POQN0 mBbOz/bmFQENhtMMQfMpJvyFj3L2bJNI8kSJvgWDdpFQ8pix4fR+MghkgG4udBA/7wg7 3D8azEmfI7g5e/+SvkvQyoxwrA70fOOgaIaGSp88Fj04ayeuOdVm8Ga4wzoY8jl8Dcz8 Fcwg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n4si5964177jaj.90.2021.11.03.10.11.28; Wed, 03 Nov 2021 10:11:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229621AbhKCRMb (ORCPT + 99 others); Wed, 3 Nov 2021 13:12:31 -0400 Received: from verein.lst.de ([213.95.11.211]:60391 "EHLO verein.lst.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229587AbhKCRMa (ORCPT ); Wed, 3 Nov 2021 13:12:30 -0400 Received: by verein.lst.de (Postfix, from userid 2407) id AD4B368AA6; Wed, 3 Nov 2021 18:09:51 +0100 (CET) Date: Wed, 3 Nov 2021 18:09:51 +0100 From: Christoph Hellwig To: Tadeusz Struk Cc: Bart Van Assche , linux-scsi@vger.kernel.org, Christoph Hellwig , "James E . J . Bottomley" , "Martin K . Petersen" , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2 1/2] scsi: scsi_ioctl: Validate command size Message-ID: <20211103170951.GA4896@lst.de> References: <20211103170659.22151-1-tadeusz.struk@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20211103170659.22151-1-tadeusz.struk@linaro.org> User-Agent: Mutt/1.5.17 (2007-11-01) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 03, 2021 at 10:06:58AM -0700, Tadeusz Struk wrote: > Need to make sure the command size is valid before copying > the command from user. > > Cc: Bart Van Assche > Cc: Christoph Hellwig > Cc: James E.J. Bottomley > Cc: Martin K. Petersen > Cc: > Cc: > Cc: # 5.15, 5.14, 5.10 > Signed-off-by: Tadeusz Struk > --- > Changes in v2: > - removed check for upper len limit as it is handled in sg_io() > --- > drivers/scsi/scsi_ioctl.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/scsi/scsi_ioctl.c b/drivers/scsi/scsi_ioctl.c > index 6ff2207bd45a..a06c61f22742 100644 > --- a/drivers/scsi/scsi_ioctl.c > +++ b/drivers/scsi/scsi_ioctl.c > @@ -347,6 +347,8 @@ static int scsi_fill_sghdr_rq(struct scsi_device *sdev, struct request *rq, > { > struct scsi_request *req = scsi_req(rq); > > + if (hdr->cmd_len < 6) > + return -EMSGSIZE; The checks looks good, but I'd be tempted to place it next to the other check on hdr->cmd_len in the caller.