From patchwork Wed Jul 12 07:51:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xiubo Li X-Patchwork-Id: 9836059 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 76FCC602A0 for ; Wed, 12 Jul 2017 07:51:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6A9DC28567 for ; Wed, 12 Jul 2017 07:51:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5F3DF285C8; Wed, 12 Jul 2017 07:51:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5DECC28567 for ; Wed, 12 Jul 2017 07:51:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756783AbdGLHvY (ORCPT ); Wed, 12 Jul 2017 03:51:24 -0400 Received: from cmccmta3.chinamobile.com ([221.176.66.81]:58498 "EHLO cmccmta3.chinamobile.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756753AbdGLHvY (ORCPT ); Wed, 12 Jul 2017 03:51:24 -0400 Received: from spf.mail.chinamobile.com (unknown[172.16.121.15]) by rmmx-syy-dmz-app11-12011 (RichMail) with SMTP id 2eeb5965d4f836d-6f793; Wed, 12 Jul 2017 15:51:21 +0800 (CST) X-RM-TRANSID: 2eeb5965d4f836d-6f793 X-RM-SPAM-FLAG: 00000000 Received: from localhost.localdomain (unknown[223.105.0.130]) by rmsmtp-syy-appsvr08-12008 (RichMail) with SMTP id 2ee85965d4f7d1c-7c67f; Wed, 12 Jul 2017 15:51:20 +0800 (CST) X-RM-TRANSID: 2ee85965d4f7d1c-7c67f From: lixiubo@cmss.chinamobile.com To: nab@linux-iscsi.org, mchristi@redhat.com Cc: bryantly@linux.vnet.ibm.com, linux-scsi@vger.kernel.org, target-devel@vger.kernel.org, Xiubo Li Subject: [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy Date: Wed, 12 Jul 2017 15:51:17 +0800 Message-Id: <1499845877-18931-1-git-send-email-lixiubo@cmss.chinamobile.com> X-Mailer: git-send-email 1.8.3.1 Sender: target-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: target-devel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Xiubo Li For most case the sg->length equals to PAGE_SIZE, so this bug won't be triggered. Otherwise this will crash the kernel, for example when all segments' sg->length equal to 1K. Signed-off-by: Xiubo Li Reviewed-by: Mike Christie --- drivers/target/target_core_user.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c index 8bf0823..9030c2a 100644 --- a/drivers/target/target_core_user.c +++ b/drivers/target/target_core_user.c @@ -590,8 +590,6 @@ static int scatter_data_area(struct tcmu_dev *udev, block_remaining); to_offset = get_block_offset_user(udev, dbi, block_remaining); - offset = DATA_BLOCK_SIZE - block_remaining; - to += offset; if (*iov_cnt != 0 && to_offset == iov_tail(*iov)) { @@ -602,8 +600,10 @@ static int scatter_data_area(struct tcmu_dev *udev, (*iov)->iov_len = copy_bytes; } if (copy_data) { - memcpy(to, from + sg->length - sg_remaining, - copy_bytes); + offset = DATA_BLOCK_SIZE - block_remaining; + memcpy(to + offset, + from + sg->length - sg_remaining, + copy_bytes); tcmu_flush_dcache_range(to, copy_bytes); } sg_remaining -= copy_bytes; @@ -664,9 +664,8 @@ static void gather_data_area(struct tcmu_dev *udev, struct tcmu_cmd *cmd, copy_bytes = min_t(size_t, sg_remaining, block_remaining); offset = DATA_BLOCK_SIZE - block_remaining; - from += offset; tcmu_flush_dcache_range(from, copy_bytes); - memcpy(to + sg->length - sg_remaining, from, + memcpy(to + sg->length - sg_remaining, from + offset, copy_bytes); sg_remaining -= copy_bytes;