Received: by 2002:a05:6358:701b:b0:131:369:b2a3 with SMTP id 27csp1831698rwo; Sun, 23 Jul 2023 01:18:13 -0700 (PDT) X-Google-Smtp-Source: APBJJlH3CQdSSN1puw2XlUE1O9DOK0mfY+OBb7kR8Dz6jS/IBHIP1yOeyJy0mAm45S9YI6fMmEsn X-Received: by 2002:a05:6402:68d:b0:521:a86d:d596 with SMTP id f13-20020a056402068d00b00521a86dd596mr6067047edy.7.1690100293466; Sun, 23 Jul 2023 01:18:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690100293; cv=none; d=google.com; s=arc-20160816; b=EiPxUn8WyxIso0l4ErGF7esRzK+fOdkYQaCr6I8JD99I6aR02I6t2O1OWjdWf45059 iRHsdRXcy77Xz3cIx6mitAJUgPDDX6DLR7JBmePuToPXUzNTBQCZhVz0ed/jUWiL7snk /zDhuBrVPSzJrvSfMsSaJDwKE7Wdok1RHpMp4SCgNbBbcjOWt6RyJjVrM2lGX+zxwRcJ p2zTgATG6ELbzB90VvSz0NbZP1ba2vNDlCYkjSkuy1iJbHxugACdIea/xXlm1WfhDYMh 0SyNwEztJGHDGlmMWEMlQegmlO9i3iSnL/ju+ceuRT/PN4LL+/Jw+7rXv+qqlGuwlI8j eflA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=GTf0JD0tGBw+0L9CvR8HMMKyyey3hBD0KqVX7hwZoqc=; fh=j+vdfQZzifaZty+LgS20ic7lC5PGzW+oGHF4ysdsXjk=; b=rv5/ppv/HbxQCnjR28k53FHc+h4MvEremNGADh5j20ndpHyIBXfqVZ8TwLUwlebiqe ryMHyFoGdrm7q/L/nup8XlNQ0sY1cDkpRAbinEcoUVbipbudtF3jAkogB3i9Ubi5+5Tc ZHkPVcR9ZZaJ909Nwauryl26MHrnPf6MnqJoI8vveOi4xgcWTo6tI6SBVuuMF5pAorXw cp7b3eVjXB6T3AcErqQV6JUQYOBvXD7CJooDsw7M8BkFL/rCp/wNUUqidI5RHqzIlWew bzX1odu0RtOGsdnjuudTQ0vh2X8QM3A4j2MlmhTgu8LDuCAT0IxZ4TozLkD6egRQhOeU tMbg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u25-20020aa7d999000000b0051deadf8cacsi4689910eds.181.2023.07.23.01.17.44; Sun, 23 Jul 2023 01:18:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229837AbjGWH6j (ORCPT + 99 others); Sun, 23 Jul 2023 03:58:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49564 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229713AbjGWH6i (ORCPT ); Sun, 23 Jul 2023 03:58:38 -0400 Received: from zg8tmja2lje4os4yms4ymjma.icoremail.net (zg8tmja2lje4os4yms4ymjma.icoremail.net [206.189.21.223]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id EC3EEE59 for ; Sun, 23 Jul 2023 00:58:35 -0700 (PDT) Received: from localhost.localdomain (unknown [39.174.92.167]) by mail-app3 (Coremail) with SMTP id cC_KCgAHf76h3bxkS2x_Cw--.19074S4; Sun, 23 Jul 2023 15:58:26 +0800 (CST) From: Lin Ma To: lduncan@suse.com, cleech@redhat.com, michael.christie@oracle.com, jejb@linux.ibm.com, martin.petersen@oracle.com, open-iscsi@googlegroups.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Lin Ma Subject: [PATCH v1 2/2] scsi: iscsi: Add strlen check in iscsi_if_set_{host}_param Date: Sun, 23 Jul 2023 15:58:20 +0800 Message-Id: <20230723075820.3713119-1-linma@zju.edu.cn> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: cC_KCgAHf76h3bxkS2x_Cw--.19074S4 X-Coremail-Antispam: 1UD129KBjvJXoWxCFWUGFy5Cw45WFyDtry7Wrg_yoW5GrWrpF WFg345A3yUJrWIkwnrXr4rGrWSkFs3XrWDtFW8t3s8ArZ8KFy5Ka9rKw4Y9FyUAws8Xw1Y gayDt3W5Wr12krJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkv14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_JF0_Jw1lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc2xSY4AK67AK6r4x MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr 0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0E wIxGrwCI42IY6xIIjxv20xvE14v26r1I6r4UMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWxJV W8Jr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF 0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUm-eOUUUUU= X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/ X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The function iscsi_if_set_param and iscsi_if_set_host_param converts nlattr payload to type char* and then call C string handling functions like sscanf and kstrdup. char *data = (char*)ev + sizeof(*ev); ... sscanf(data, "%d", &value); However, since the nlattr is provided by the user-space program and the nlmsg skb is allocated with GFP_KERNEL instead of GFP_ZERO flag (see netlink_alloc_large_skb in netlink_sendmsg), the dirty data remained in the heap can cause OOB read for those string handling functions. By investigating how the bug is introduced, we find it is really interesting as the old version parsing code starting from commit fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") treated the nlattr as integer bytes instead of string and had length check in iscsi_copy_param. if (ev->u.set_param.len != sizeof(uint32_t)) BUG(); But, since the commit a54a52caad4b ("[SCSI] iscsi: fixup set/get param functions"), code treated the nlattr as C string while forggeting to add any strlen checks, hence leave the possibility of OOB. This patch fixes the potential OOB by adding the strlen check before accessing the buf. If the data passes this check, all low-level set_param handlers can safely treat this buf as legal C string. Fixes: fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") Fixes: 1d9bf13a9cf9 ("[SCSI] iscsi class: add iscsi host set param event") Signed-off-by: Lin Ma --- drivers/scsi/scsi_transport_iscsi.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c index 62b24f1c0232..8ade01da3045 100644 --- a/drivers/scsi/scsi_transport_iscsi.c +++ b/drivers/scsi/scsi_transport_iscsi.c @@ -3030,6 +3030,10 @@ iscsi_if_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev, u if (!conn || !session) return -EINVAL; + /* data will be regarded as NULL-ended string, do length check */ + if (strlen(data) > ev->u.set_param.len) + return -EINVAL; + switch (ev->u.set_param.param) { case ISCSI_PARAM_SESS_RECOVERY_TMO: sscanf(data, "%d", &value); @@ -3203,6 +3207,10 @@ iscsi_set_host_param(struct iscsi_transport *transport, return -ENODEV; } + /* see similar check in iscsi_if_set_param() */ + if (strlen(data) > ev->u.set_host_param.len) + return -EINVAL; + err = transport->set_host_param(shost, ev->u.set_host_param.param, data, ev->u.set_host_param.len); scsi_host_put(shost); -- 2.17.1