• Dan Carpenter's avatar
    vhost/scsi: potential memory corruption · fa83234f
    Dan Carpenter authored
    commit 59c816c1
    
     upstream.
    
    This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
    to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.
    
    I looked at the context and it turns out that in
    vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
    the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
    anything higher than 255 then it is invalid.  I have made that the limit
    now.
    
    In vhost_scsi_send_evt() we mask away values higher than 255, but now
    that the limit has changed, we don't need the mask.
    Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    [ The affected function was renamed to vhost_scsi_make_tpg before
      the vulnerability was announced, I ported it to 3.10 stable and
      changed the code in function tcm_vhost_make_tpg]
    Signed-off-by: default avatarWang Long <long.wanglong@huawei.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    fa83234f
scsi.c 57.1 KB