diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2015-02-05 10:37:33 +0300 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2016-08-26 20:02:17 +0200 |
| commit | 21b12d94cb48ccb1f4fdf9e941b99d119f4d5a8d (patch) | |
| tree | 60c3330e7de1b7fa406485c0af076d023ed2ba5f /scripts | |
| parent | 5e0aa0209bdc571eddb12fc99d8c488052d2b347 (diff) | |
vhost/scsi: potential memory corruption
commit 59c816c1f24df0204e01851431d3bab3eb76719c upstream.
This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.
I looked at the context and it turns out that in
vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
anything higher than 255 then it is invalid. I have made that the limit
now.
In vhost_scsi_send_evt() we mask away values higher than 255, but now
that the limit has changed, we don't need the mask.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[ The affected function was renamed to vhost_scsi_make_tpg before
the vulnerability was announced, I ported it to 3.10 stable and
changed the code in function tcm_vhost_make_tpg]
Signed-off-by: Wang Long <long.wanglong@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Stefan Guendhoer <stefan@guendhoer.com>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions