scsi: qla4xxx: Add length check when parsing nlattrs
[ Upstream commit 47cd3770e31df942e2bb925a9a855c79ed0662eb ] There are three places that qla4xxx parses nlattrs: - qla4xxx_set_chap_entry() - qla4xxx_iface_set_param() - qla4xxx_sysfs_ddb_set_param() and each of them directly converts the nlattr to specific pointer of structure without length checking. This could be dangerous as those attributes are not validated and a malformed nlattr (e.g., length 0) could result in an OOB read that leaks heap dirty data. Add the nla_len check before accessing the nlattr data and return EINVAL if the length check fails. Fixes:26ffd7b45f
("[SCSI] qla4xxx: Add support to set CHAP entries") Fixes:1e9e2be3ee
("[SCSI] qla4xxx: Add flash node mgmt support") Fixes:00c31889f7
("[SCSI] qla4xxx: fix data alignment and use nl helpers") Signed-off-by: Lin Ma <linma@zju.edu.cn> Link: https://lore.kernel.org/r/20230723080053.3714534-1-linma@zju.edu.cn Reviewed-by: Chris Leech <cleech@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
bc66e701ca
commit
47f3be62ea
@ -939,6 +939,11 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len)
|
|||||||
memset(&chap_rec, 0, sizeof(chap_rec));
|
memset(&chap_rec, 0, sizeof(chap_rec));
|
||||||
|
|
||||||
nla_for_each_attr(attr, data, len, rem) {
|
nla_for_each_attr(attr, data, len, rem) {
|
||||||
|
if (nla_len(attr) < sizeof(*param_info)) {
|
||||||
|
rc = -EINVAL;
|
||||||
|
goto exit_set_chap;
|
||||||
|
}
|
||||||
|
|
||||||
param_info = nla_data(attr);
|
param_info = nla_data(attr);
|
||||||
|
|
||||||
switch (param_info->param) {
|
switch (param_info->param) {
|
||||||
@ -2723,6 +2728,11 @@ qla4xxx_iface_set_param(struct Scsi_Host *shost, void *data, uint32_t len)
|
|||||||
}
|
}
|
||||||
|
|
||||||
nla_for_each_attr(attr, data, len, rem) {
|
nla_for_each_attr(attr, data, len, rem) {
|
||||||
|
if (nla_len(attr) < sizeof(*iface_param)) {
|
||||||
|
rval = -EINVAL;
|
||||||
|
goto exit_init_fw_cb;
|
||||||
|
}
|
||||||
|
|
||||||
iface_param = nla_data(attr);
|
iface_param = nla_data(attr);
|
||||||
|
|
||||||
if (iface_param->param_type == ISCSI_NET_PARAM) {
|
if (iface_param->param_type == ISCSI_NET_PARAM) {
|
||||||
@ -8093,6 +8103,11 @@ qla4xxx_sysfs_ddb_set_param(struct iscsi_bus_flash_session *fnode_sess,
|
|||||||
|
|
||||||
memset((void *)&chap_tbl, 0, sizeof(chap_tbl));
|
memset((void *)&chap_tbl, 0, sizeof(chap_tbl));
|
||||||
nla_for_each_attr(attr, data, len, rem) {
|
nla_for_each_attr(attr, data, len, rem) {
|
||||||
|
if (nla_len(attr) < sizeof(*fnode_param)) {
|
||||||
|
rc = -EINVAL;
|
||||||
|
goto exit_set_param;
|
||||||
|
}
|
||||||
|
|
||||||
fnode_param = nla_data(attr);
|
fnode_param = nla_data(attr);
|
||||||
|
|
||||||
switch (fnode_param->param) {
|
switch (fnode_param->param) {
|
||||||
|
Loading…
Reference in New Issue
Block a user