@@ -575,7 +575,8 @@ iscsit_xmit_nondatain_pdu(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
return 0;
}
-static int iscsit_map_iovec(struct iscsi_cmd *, struct kvec *, u32, u32);
+static int iscsit_map_iovec(struct iscsi_cmd *, struct kvec *, u32 nvec,
+ u32, u32);
static void iscsit_unmap_iovec(struct iscsi_cmd *);
static u32 iscsit_do_crypto_hash_sg(struct ahash_request *, struct iscsi_cmd *,
u32, u32, u32, u8 *);
@@ -606,7 +607,8 @@ iscsit_xmit_datain_pdu(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
*header_digest);
}
- iov_ret = iscsit_map_iovec(cmd, &cmd->iov_data[1],
+ iov_ret = iscsit_map_iovec(cmd, &cmd->iov_data[iov_count],
+ cmd->orig_iov_data_count - (iov_count + 2),
datain->offset, datain->length);
if (iov_ret < 0)
return -1;
@@ -892,10 +894,11 @@ EXPORT_SYMBOL(iscsit_reject_cmd);
static int iscsit_map_iovec(
struct iscsi_cmd *cmd,
struct kvec *iov,
+ u32 nvec,
u32 data_offset,
u32 data_length)
{
- u32 i = 0;
+ u32 i = 0, orig_data_length = data_length;
struct scatterlist *sg;
unsigned int page_off;
@@ -906,7 +909,7 @@ static int iscsit_map_iovec(
if (ent >= cmd->se_cmd.t_data_nents) {
pr_err("Initial page entry out-of-bounds\n");
- return -1;
+ goto overflow;
}
sg = &cmd->se_cmd.t_data_sg[ent];
@@ -916,7 +919,12 @@ static int iscsit_map_iovec(
cmd->first_data_sg_off = page_off;
while (data_length) {
- u32 cur_len = min_t(u32, data_length, sg->length - page_off);
+ u32 cur_len;
+
+ if (WARN_ON_ONCE(!sg || i >= nvec))
+ goto overflow;
+
+ cur_len = min_t(u32, data_length, sg->length - page_off);
iov[i].iov_base = kmap(sg_page(sg)) + sg->offset + page_off;
iov[i].iov_len = cur_len;
@@ -930,6 +938,16 @@ static int iscsit_map_iovec(
cmd->kmapped_nents = i;
return i;
+
+overflow:
+ pr_err("offset %d + length %d overflow; %d/%d; sg-list:\n",
+ data_offset, orig_data_length, i, nvec);
+ for_each_sg(cmd->se_cmd.t_data_sg, sg,
+ cmd->se_cmd.t_data_nents, i) {
+ pr_err("[%d] off %d len %d\n",
+ i, sg->offset, sg->length);
+ }
+ return -1;
}
static void iscsit_unmap_iovec(struct iscsi_cmd *cmd)
@@ -1577,8 +1595,8 @@ iscsit_get_dataout(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
rx_size += payload_length;
iov = &cmd->iov_data[0];
- iov_ret = iscsit_map_iovec(cmd, iov, be32_to_cpu(hdr->offset),
- payload_length);
+ iov_ret = iscsit_map_iovec(cmd, iov, cmd->orig_iov_data_count - 2,
+ be32_to_cpu(hdr->offset), payload_length);
if (iov_ret < 0)
return -1;
@@ -1598,6 +1616,7 @@ iscsit_get_dataout(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
rx_size += ISCSI_CRC_LEN;
}
+ WARN_ON_ONCE(iov_count >= cmd->orig_iov_data_count);
rx_got = rx_data(conn, &cmd->iov_data[0], iov_count, rx_size);
iscsit_unmap_iovec(cmd);
@@ -1863,6 +1882,7 @@ static int iscsit_handle_nop_out(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
rx_size += ISCSI_CRC_LEN;
}
+ WARN_ON_ONCE(niov >= cmd->orig_iov_data_count);
rx_got = rx_data(conn, &cmd->iov_misc[0], niov, rx_size);
if (rx_got != rx_size) {
ret = -1;
@@ -2273,6 +2293,7 @@ iscsit_handle_text_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
rx_size += ISCSI_CRC_LEN;
}
+ WARN_ON_ONCE(niov >= cmd->orig_iov_data_count);
rx_got = rx_data(conn, &iov[0], niov, rx_size);
if (rx_got != rx_size)
goto reject;
@@ -2585,7 +2606,9 @@ static int iscsit_handle_immediate_data(
struct iscsi_conn *conn = cmd->conn;
struct kvec *iov;
- iov_ret = iscsit_map_iovec(cmd, cmd->iov_data, cmd->write_data_done, length);
+ iov_ret = iscsit_map_iovec(cmd, cmd->iov_data,
+ cmd->orig_iov_data_count - 2,
+ cmd->write_data_done, length);
if (iov_ret < 0)
return IMMEDIATE_DATA_CANNOT_RECOVER;
@@ -2606,6 +2629,7 @@ static int iscsit_handle_immediate_data(
rx_size += ISCSI_CRC_LEN;
}
+ WARN_ON_ONCE(iov_count >= cmd->orig_iov_data_count);
rx_got = rx_data(conn, &cmd->iov_data[0], iov_count, rx_size);
iscsit_unmap_iovec(cmd);
If the code for parsing a CDB sets se_cmd.data_length to a value that is lower than the size of the SCSI Data-Out buffer then a buffer overflow occurs in the iSCSI target driver while receiving the Data-Out buffer. Make the code for receiving that buffer more robust by checking the bounds of the allocated iovec. This patch fixes the following crash: BUG: unable to handle kernel NULL pointer dereference at 00000000 00000014 RIP: 0010:iscsit_map_iovec+0x120/0x190 [iscsi_target_mod] Call Trace: iscsit_get_rx_pdu+0x8a2/0xe00 [iscsi_target_mod] iscsi_target_rx_thread+0x6e/0xa0 [iscsi_target_mod] kthread+0x109/0x140 Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> Cc: Hannes Reinecke <hare@suse.com> Cc: Christoph Hellwig <hch@lst.de> Cc: Andy Grover <agrover@redhat.com> Cc: David Disseldorp <ddiss@suse.de> --- drivers/target/iscsi/iscsi_target.c | 40 +++++++++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 8 deletions(-)