Message ID | 20210528181337.792268-4-keescook@chromium.org (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | scsi: Fix a handful of memcpy() field overflows | expand |
On 5/28/21 13:13, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), avoid intentionally writing across > neighboring array fields. > > Switch from rsp_ui to resp_buf, since resp_ui isn't SSP_RESP_IU_MAX_SIZE > bytes in length. This avoids future compile-time warnings. > > Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org> Thanks -- Gustavo > --- > drivers/scsi/isci/task.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c > index 62062ed6cd9a..eeaec26ac324 100644 > --- a/drivers/scsi/isci/task.c > +++ b/drivers/scsi/isci/task.c > @@ -709,8 +709,8 @@ isci_task_request_complete(struct isci_host *ihost, > tmf->status = completion_status; > > if (tmf->proto == SAS_PROTOCOL_SSP) { > - memcpy(&tmf->resp.resp_iu, > - &ireq->ssp.rsp, > + memcpy(tmf->resp.rsp_buf, > + ireq->ssp.rsp_buf, > SSP_RESP_IU_MAX_SIZE); > } else if (tmf->proto == SAS_PROTOCOL_SATA) { > memcpy(&tmf->resp.d2h_fis, >
diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c index 62062ed6cd9a..eeaec26ac324 100644 --- a/drivers/scsi/isci/task.c +++ b/drivers/scsi/isci/task.c @@ -709,8 +709,8 @@ isci_task_request_complete(struct isci_host *ihost, tmf->status = completion_status; if (tmf->proto == SAS_PROTOCOL_SSP) { - memcpy(&tmf->resp.resp_iu, - &ireq->ssp.rsp, + memcpy(tmf->resp.rsp_buf, + ireq->ssp.rsp_buf, SSP_RESP_IU_MAX_SIZE); } else if (tmf->proto == SAS_PROTOCOL_SATA) { memcpy(&tmf->resp.d2h_fis,
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), avoid intentionally writing across neighboring array fields. Switch from rsp_ui to resp_buf, since resp_ui isn't SSP_RESP_IU_MAX_SIZE bytes in length. This avoids future compile-time warnings. Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/scsi/isci/task.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)