| Message ID | 02b0d4ff-961c-49ae-921a-5cc469edf93c@stanley.mountain (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req() | expand |
Dan, > The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32, > not the number of bytes. We dump that many u32 values to dmesg. Passing > the number of bytes will lead to a read overflow. Divide by 4 to get the > correct value. Applied to 6.15/scsi-staging, thanks!
On Fri, 28 Feb 2025 12:37:28 +0300, Dan Carpenter wrote: > The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32, > not the number of bytes. We dump that many u32 values to dmesg. Passing > the number of bytes will lead to a read overflow. Divide by 4 to get the > correct value. > > Applied to 6.15/scsi-queue, thanks! [1/1] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req() https://git.kernel.org/mkp/scsi/c/0711f1966a52
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c index ff8fedf5f20e..063b10dd8251 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c +++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c @@ -3017,7 +3017,7 @@ int mpt3sas_send_mctp_passthru_req(struct mpt3_passthru_command *command) if (!(ioc->ctl_cmds.status & MPT3_CMD_COMPLETE)) { mpt3sas_check_cmd_timeout(ioc, ioc->ctl_cmds.status, mpi_request, - sizeof(Mpi26MctpPassthroughRequest_t), issue_reset); + sizeof(Mpi26MctpPassthroughRequest_t) / 4, issue_reset); goto issue_host_reset; }
The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32, not the number of bytes. We dump that many u32 values to dmesg. Passing the number of bytes will lead to a read overflow. Divide by 4 to get the correct value. Fixes: c72be4b5bb7c ("scsi: mpt3sas: Add support for MCTP Passthrough commands") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)