diff mbox series

mpi3mr: sanitise num_phys

Message ID 20240226151013.8653-1-thenzl@redhat.com (mailing list archive)
State Accepted
Headers show
Series mpi3mr: sanitise num_phys | expand

Commit Message

Tomas Henzl Feb. 26, 2024, 3:10 p.m. UTC
Information is stored in mr_sas_port->phy_mask, values larger then size
of this field shouldn't be allowed.

Signed-off-by: Tomas Henzl <thenzl@redhat.com>
---
 drivers/scsi/mpi3mr/mpi3mr_transport.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

Comments

Sathya Prakash Veerichetty May 7, 2024, 2:48 p.m. UTC | #1
On Mon, Feb 26, 2024 at 8:14 AM Tomas Henzl <thenzl@redhat.com> wrote:
>
> Information is stored in mr_sas_port->phy_mask, values larger then size
> of this field shouldn't be allowed.
>
> Signed-off-by: Tomas Henzl <thenzl@redhat.com>
> ---
Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>

>  drivers/scsi/mpi3mr/mpi3mr_transport.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
>
> diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c
> index c0c8ab586957..352f006c8fe4 100644
> --- a/drivers/scsi/mpi3mr/mpi3mr_transport.c
> +++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c
> @@ -1355,11 +1355,21 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc,
>         mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node,
>             mr_sas_port->remote_identify.sas_address, hba_port);
>
> +       if (mr_sas_node->num_phys > sizeof(mr_sas_port->phy_mask) * 8)
> +               ioc_info(mrioc, "max port count %u could be too high\n",
> +                   mr_sas_node->num_phys);
> +
>         for (i = 0; i < mr_sas_node->num_phys; i++) {
>                 if ((mr_sas_node->phy[i].remote_identify.sas_address !=
>                     mr_sas_port->remote_identify.sas_address) ||
>                     (mr_sas_node->phy[i].hba_port != hba_port))
>                         continue;
> +
> +               if (i > sizeof(mr_sas_port->phy_mask) * 8) {
> +                       ioc_warn(mrioc, "skipping port %u, max allowed value is %lu\n",
> +                           i, sizeof(mr_sas_port->phy_mask) * 8);
> +                       goto out_fail;
> +               }
>                 list_add_tail(&mr_sas_node->phy[i].port_siblings,
>                     &mr_sas_port->phy_list);
>                 mr_sas_port->num_phys++;
> --
> 2.43.2
>
Martin K. Petersen May 9, 2024, 1:41 a.m. UTC | #2
Sathya,

>> Information is stored in mr_sas_port->phy_mask, values larger then
>> size of this field shouldn't be allowed.

Applied to 6.10/scsi-staging, thanks!
Martin K. Petersen May 11, 2024, 6:39 p.m. UTC | #3
On Mon, 26 Feb 2024 16:10:13 +0100, Tomas Henzl wrote:

> Information is stored in mr_sas_port->phy_mask, values larger then size
> of this field shouldn't be allowed.
> 
> 

Applied to 6.10/scsi-queue, thanks!

[1/1] mpi3mr: sanitise num_phys
      https://git.kernel.org/mkp/scsi/c/3668651def2c
diff mbox series

Patch

diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c
index c0c8ab586957..352f006c8fe4 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_transport.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c
@@ -1355,11 +1355,21 @@  static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc,
 	mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node,
 	    mr_sas_port->remote_identify.sas_address, hba_port);
 
+	if (mr_sas_node->num_phys > sizeof(mr_sas_port->phy_mask) * 8)
+		ioc_info(mrioc, "max port count %u could be too high\n",
+		    mr_sas_node->num_phys);
+
 	for (i = 0; i < mr_sas_node->num_phys; i++) {
 		if ((mr_sas_node->phy[i].remote_identify.sas_address !=
 		    mr_sas_port->remote_identify.sas_address) ||
 		    (mr_sas_node->phy[i].hba_port != hba_port))
 			continue;
+
+		if (i > sizeof(mr_sas_port->phy_mask) * 8) {
+			ioc_warn(mrioc, "skipping port %u, max allowed value is %lu\n",
+			    i, sizeof(mr_sas_port->phy_mask) * 8);
+			goto out_fail;
+		}
 		list_add_tail(&mr_sas_node->phy[i].port_siblings,
 		    &mr_sas_port->phy_list);
 		mr_sas_port->num_phys++;