> -----Original Message----- > From: Xiaohui Zhang <ruc_zhangxiaohui@xxxxxxx> > Sent: Tuesday, December 8, 2020 5:19 AM > To: Xiaohui Zhang <ruc_zhangxiaohui@xxxxxxx>; KY Srinivasan > <kys@xxxxxxxxxxxxx>; Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>; Stephen > Hemminger <sthemmin@xxxxxxxxxxxxx>; Wei Liu <wei.liu@xxxxxxxxxx>; > James E.J. Bottomley <jejb@xxxxxxxxxxxxx>; Martin K. Petersen > <martin.petersen@xxxxxxxxxx>; linux-hyperv@xxxxxxxxxxxxxxx; linux- > scsi@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx > Subject: [EXTERNAL] [PATCH 1/1] scsi: Fix possible buffer overflows in > storvsc_queuecommand > > From: Zhang Xiaohui <ruc_zhangxiaohui@xxxxxxx> > > storvsc_queuecommand() calls memcpy() without checking the destination size > may trigger a buffer overflower, which a local user could use to cause denial of > service or the execution of arbitrary code. > Fix it by putting the length check before calling memcpy(). > > Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@xxxxxxx> > --- > drivers/scsi/storvsc_drv.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c index > 0c65fbd41..09b60a4c0 100644 > --- a/drivers/scsi/storvsc_drv.c > +++ b/drivers/scsi/storvsc_drv.c > @@ -1729,6 +1729,8 @@ static int storvsc_queuecommand(struct Scsi_Host > *host, struct scsi_cmnd *scmnd) > > vm_srb->cdb_length = scmnd->cmd_len; > > + if (vm_srb->cdb_length > STORVSC_MAX_CMD_LEN) > + vm_srb->cdb_length = STORVSC_MAX_CMD_LEN; > memcpy(vm_srb->cdb, scmnd->cmnd, vm_srb->cdb_length); The data structure is sized correctly to handle the max command length. Besides your check is bogus - you cannot truncate the command! K. Y > > sgl = (struct scatterlist *)scsi_sglist(scmnd); > -- > 2.17.1
