git.proxmox.com Git - mirror_ubuntu-kernels.git/commit

author	Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
	Tue, 14 Feb 2023 00:50:16 +0000 (09:50 +0900)
committer	Andrea Righi <andrea.righi@canonical.com>
	Tue, 14 Mar 2023 15:47:20 +0000 (16:47 +0100)
commit	c5aec752dc647e446c9725eecff722ad417ab5f1
tree	49a5529be54cfba113999eb5365750f0a35a22a0	tree
parent	622507386d7d0b480d5ff5cfa1ccbafd72fc289a	commit \| diff

scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()

BugLink: https://bugs.launchpad.net/bugs/2011425
commit fb428a2005fc1260d18b989cc5199f281617f44d upstream.

The function mpi3mr_get_all_tgt_info() has four issues:

1) It calculates valid entry length in alltgt_info assuming the header part
   of the struct mpi3mr_device_map_info would equal to sizeof(u32).  The
   correct size is sizeof(u64).

2) When it calculates the valid entry length kern_entrylen, it excludes one
   entry by subtracting 1 from num_devices.

3) It copies num_device by calling memcpy(). Substitution is enough.

4) It does not specify the calculated length to sg_copy_from_buffer().
   Instead, it specifies the payload length which is larger than the
   alltgt_info size. It causes "BUG: KASAN: slab-out-of-bounds".

Fix the issues by using the correct header size, removing the subtraction
from num_devices, replacing the memcpy() with substitution and specifying
the correct length to sg_copy_from_buffer().

Link: https://lore.kernel.org/r/20230214005019.1897251-2-shinichiro.kawasaki@wdc.com
Cc: stable@vger.kernel.org
Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands")
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>