scsi: target: sbp: Potential integer overflow in sbp_make_tpg()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The variable tpgt in sbp_make_tpg() is defined as unsigned long and is
assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an
integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't
tried to trigger it myself, but it is possible to trigger it by calling
sbp_make_tpg() with a large value for tpgt.

Modify the type of tpgt to match tpgt->tport_tpgt and adjusted the
relevant code accordingly.

This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential
memory corruption").

Signed-off-by: ReBeating <rebeating@163.com>
Link: https://patch.msgid.link/20251226031936.852-1-rebeating@163.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

authored by

ReBeating and committed by

Martin K. Petersen 5 months ago 8e8e8e7e 8334f930

+2 -2

1 changed file

expand all

drivers

target

sbp

sbp_target.c

+2 -2

drivers/target/sbp/sbp_target.c

··· 1960 1960 container_of(wwn, struct sbp_tport, tport_wwn); 1961 1961 1962 1962 struct sbp_tpg *tpg; 1963 - unsigned long tpgt; 1963 + u16 tpgt; 1964 1964 int ret; 1965 1965 1966 1966 if (strstr(name, "tpgt_") != name) 1967 1967 return ERR_PTR(-EINVAL); 1968 - if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) 1968 + if (kstrtou16(name + 5, 10, &tpgt)) 1969 1969 return ERR_PTR(-EINVAL); 1970 1970 1971 1971 if (tport->tpg) {

Configure Feed

Configure Feed