tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
"Three fixes, all in drivers. The lpfc one doesn't look exploitable,
but nasty things could happen in string operations if mybuf ends up
with an on stack unterminated string"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: vmw_pvscsi: Set residual data length conditionally
scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()
scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write()

Linus Torvalds e46227bf 4f3d93c6

+11 -6
+4 -2
drivers/scsi/libiscsi.c
··· 3100 3100 { 3101 3101 struct iscsi_conn *conn = cls_conn->dd_data; 3102 3102 struct iscsi_session *session = conn->session; 3103 + char *tmp_persistent_address = conn->persistent_address; 3104 + char *tmp_local_ipaddr = conn->local_ipaddr; 3103 3105 3104 3106 del_timer_sync(&conn->transport_timer); 3105 3107 ··· 3123 3121 spin_lock_bh(&session->frwd_lock); 3124 3122 free_pages((unsigned long) conn->data, 3125 3123 get_order(ISCSI_DEF_MAX_RECV_SEG_LEN)); 3126 - kfree(conn->persistent_address); 3127 - kfree(conn->local_ipaddr); 3128 3124 /* regular RX path uses back_lock */ 3129 3125 spin_lock_bh(&session->back_lock); 3130 3126 kfifo_in(&session->cmdpool.queue, (void*)&conn->login_task, ··· 3134 3134 mutex_unlock(&session->eh_mutex); 3135 3135 3136 3136 iscsi_destroy_conn(cls_conn); 3137 + kfree(tmp_persistent_address); 3138 + kfree(tmp_local_ipaddr); 3137 3139 } 3138 3140 EXPORT_SYMBOL_GPL(iscsi_conn_teardown); 3139 3141
+2 -2
drivers/scsi/lpfc/lpfc_debugfs.c
··· 2954 2954 char mybuf[64]; 2955 2955 char *pbuf; 2956 2956 2957 - if (nbytes > 64) 2958 - nbytes = 64; 2957 + if (nbytes > 63) 2958 + nbytes = 63; 2959 2959 2960 2960 memset(mybuf, 0, sizeof(mybuf)); 2961 2961
+5 -2
drivers/scsi/vmw_pvscsi.c
··· 586 586 * Commands like INQUIRY may transfer less data than 587 587 * requested by the initiator via bufflen. Set residual 588 588 * count to make upper layer aware of the actual amount 589 - * of data returned. 589 + * of data returned. There are cases when controller 590 + * returns zero dataLen with non zero data - do not set 591 + * residual count in that case. 590 592 */ 591 - scsi_set_resid(cmd, scsi_bufflen(cmd) - e->dataLen); 593 + if (e->dataLen && (e->dataLen < scsi_bufflen(cmd))) 594 + scsi_set_resid(cmd, scsi_bufflen(cmd) - e->dataLen); 592 595 cmd->result = (DID_OK << 16); 593 596 break; 594 597