scsi: sg: off by one in sg_ioctl()

Message ID	20170817070954.d4gg7hqgg2qjf6d3@mwanda (mailing list archive)
State	Accepted, archived
Headers	show Return-Path: <linux-scsi-owner@kernel.org> Date: Thu, 17 Aug 2017 10:09:54 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Doug Gilbert <dgilbert@interlog.com>, Hannes Reinecke <hare@suse.de> Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] scsi: sg: off by one in sg_ioctl() Message-ID: <20170817070954.d4gg7hqgg2qjf6d3@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk

Message ID

20170817070954.d4gg7hqgg2qjf6d3@mwanda (mailing list archive)

State

Accepted, archived

Headers

Date: Thu, 17 Aug 2017 10:09:54 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Doug Gilbert <dgilbert@interlog.com>, Hannes Reinecke <hare@suse.de>
Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] scsi: sg: off by one in sg_ioctl()
Message-ID: <20170817070954.d4gg7hqgg2qjf6d3@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk

If "val" is SG_MAX_QUEUE then we are one element beyond the end of the "rinfo" array so the > should be >=. Fixes: 109bade9c625 ("scsi: sg: use standard lists for sg_requests") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Comments

Douglas Gilbert Aug. 23, 2017, 1:50 a.m. UTC | #1

On 2017-08-17 03:09 AM, Dan Carpenter wrote:
> If "val" is SG_MAX_QUEUE then we are one element beyond the end of the
> "rinfo" array so the > should be >=.
> 
> Fixes: 109bade9c625 ("scsi: sg: use standard lists for sg_requests")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>

Thanks.

> 
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index d7ff71e0c85c..84e782d8e7c3 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -1021,7 +1021,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
>   			read_lock_irqsave(&sfp->rq_list_lock, iflags);
>   			val = 0;
>   			list_for_each_entry(srp, &sfp->rq_list, entry) {
> -				if (val > SG_MAX_QUEUE)
> +				if (val >= SG_MAX_QUEUE)
>   					break;
>   				memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
>   				rinfo[val].req_state = srp->done + 1;
>

Martin K. Petersen Aug. 23, 2017, 2:24 a.m. UTC | #2

Dan,

> If "val" is SG_MAX_QUEUE then we are one element beyond the end of the
> "rinfo" array so the > should be >=.

Applied to 4.13/scsi-fixes. Thanks!

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index d7ff71e0c85c..84e782d8e7c3 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1021,7 +1021,7 @@  sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 			read_lock_irqsave(&sfp->rq_list_lock, iflags);
 			val = 0;
 			list_for_each_entry(srp, &sfp->rq_list, entry) {
-				if (val > SG_MAX_QUEUE)
+				if (val >= SG_MAX_QUEUE)
 					break;
 				memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
 				rinfo[val].req_state = srp->done + 1;

scsi: sg: off by one in sg_ioctl()

Commit Message

Comments

Patch