| Message ID | 20240226151013.8653-1-thenzl@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | mpi3mr: sanitise num_phys | expand |
On Mon, Feb 26, 2024 at 8:14 AM Tomas Henzl <thenzl@redhat.com> wrote: > > Information is stored in mr_sas_port->phy_mask, values larger then size > of this field shouldn't be allowed. > > Signed-off-by: Tomas Henzl <thenzl@redhat.com> > --- Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com> > drivers/scsi/mpi3mr/mpi3mr_transport.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c > index c0c8ab586957..352f006c8fe4 100644 > --- a/drivers/scsi/mpi3mr/mpi3mr_transport.c > +++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c > @@ -1355,11 +1355,21 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, > mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node, > mr_sas_port->remote_identify.sas_address, hba_port); > > + if (mr_sas_node->num_phys > sizeof(mr_sas_port->phy_mask) * 8) > + ioc_info(mrioc, "max port count %u could be too high\n", > + mr_sas_node->num_phys); > + > for (i = 0; i < mr_sas_node->num_phys; i++) { > if ((mr_sas_node->phy[i].remote_identify.sas_address != > mr_sas_port->remote_identify.sas_address) || > (mr_sas_node->phy[i].hba_port != hba_port)) > continue; > + > + if (i > sizeof(mr_sas_port->phy_mask) * 8) { > + ioc_warn(mrioc, "skipping port %u, max allowed value is %lu\n", > + i, sizeof(mr_sas_port->phy_mask) * 8); > + goto out_fail; > + } > list_add_tail(&mr_sas_node->phy[i].port_siblings, > &mr_sas_port->phy_list); > mr_sas_port->num_phys++; > -- > 2.43.2 >
Sathya, >> Information is stored in mr_sas_port->phy_mask, values larger then >> size of this field shouldn't be allowed. Applied to 6.10/scsi-staging, thanks!
On Mon, 26 Feb 2024 16:10:13 +0100, Tomas Henzl wrote: > Information is stored in mr_sas_port->phy_mask, values larger then size > of this field shouldn't be allowed. > > Applied to 6.10/scsi-queue, thanks! [1/1] mpi3mr: sanitise num_phys https://git.kernel.org/mkp/scsi/c/3668651def2c
diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c index c0c8ab586957..352f006c8fe4 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_transport.c +++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c @@ -1355,11 +1355,21 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node, mr_sas_port->remote_identify.sas_address, hba_port); + if (mr_sas_node->num_phys > sizeof(mr_sas_port->phy_mask) * 8) + ioc_info(mrioc, "max port count %u could be too high\n", + mr_sas_node->num_phys); + for (i = 0; i < mr_sas_node->num_phys; i++) { if ((mr_sas_node->phy[i].remote_identify.sas_address != mr_sas_port->remote_identify.sas_address) || (mr_sas_node->phy[i].hba_port != hba_port)) continue; + + if (i > sizeof(mr_sas_port->phy_mask) * 8) { + ioc_warn(mrioc, "skipping port %u, max allowed value is %lu\n", + i, sizeof(mr_sas_port->phy_mask) * 8); + goto out_fail; + } list_add_tail(&mr_sas_node->phy[i].port_siblings, &mr_sas_port->phy_list); mr_sas_port->num_phys++;
Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed. Signed-off-by: Tomas Henzl <thenzl@redhat.com> --- drivers/scsi/mpi3mr/mpi3mr_transport.c | 10 ++++++++++ 1 file changed, 10 insertions(+)