releases/4.4.75/iscsi-target-reject-immediate-data-underflow-larger-than-scsi-transfer-length.patch

   1 From abb85a9b512e8ca7ad04a5a8a6db9664fe644974 Mon Sep 17 00:00:00 2001
   2 From: Nicholas Bellinger <nab@linux-iscsi.org>
   3 Date: Wed, 7 Jun 2017 20:29:50 -0700
   4 Subject: iscsi-target: Reject immediate data underflow larger than SCSI transfer length
   5
   6 From: Nicholas Bellinger <nab@linux-iscsi.org>
   7
   8 commit abb85a9b512e8ca7ad04a5a8a6db9664fe644974 upstream.
   9
  10 When iscsi WRITE underflow occurs there are two different scenarios
  11 that can happen.
  12
  13 Normally in practice, when an EDTL vs. SCSI CDB TRANSFER LENGTH
  14 underflow is detected, the iscsi immediate data payload is the
  15 smaller SCSI CDB TRANSFER LENGTH.
  16
  17 That is, when a host fabric LLD is using a fixed size EDTL for
  18 a specific control CDB, the SCSI CDB TRANSFER LENGTH and actual
  19 SCSI payload ends up being smaller than EDTL.  In iscsi, this
  20 means the received iscsi immediate data payload matches the
  21 smaller SCSI CDB TRANSFER LENGTH, because there is no more
  22 SCSI payload to accept beyond SCSI CDB TRANSFER LENGTH.
  23
  24 However, it's possible for a malicous host to send a WRITE
  25 underflow where EDTL is larger than SCSI CDB TRANSFER LENGTH,
  26 but incoming iscsi immediate data actually matches EDTL.
  27
  28 In the wild, we've never had a iscsi host environment actually
  29 try to do this.
  30
  31 For this special case, it's wrong to truncate part of the
  32 control CDB payload and continue to process the command during
  33 underflow when immediate data payload received was larger than
  34 SCSI CDB TRANSFER LENGTH, so go ahead and reject and drop the
  35 bogus payload as a defensive action.
  36
  37 Note this potential bug was originally relaxed by the following
  38 for allowing WRITE underflow in MSFT FCP host environments:
  39
  40    commit c72c5250224d475614a00c1d7e54a67f77cd3410
  41    Author: Roland Dreier <roland@purestorage.com>
  42    Date:   Wed Jul 22 15:08:18 2015 -0700
  43
  44       target: allow underflow/overflow for PR OUT etc. commands
  45
  46 Cc: Roland Dreier <roland@purestorage.com>
  47 Cc: Mike Christie <mchristi@redhat.com>
  48 Cc: Hannes Reinecke <hare@suse.de>
  49 Cc: Martin K. Petersen <martin.petersen@oracle.com>
  50 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
  51 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  52
  53 ---
  54  drivers/target/iscsi/iscsi_target.c |   12 ++++++++++++
  55  1 file changed, 12 insertions(+)
  56
  57 --- a/drivers/target/iscsi/iscsi_target.c
  58 +++ b/drivers/target/iscsi/iscsi_target.c
  59 @@ -1112,6 +1112,18 @@ iscsit_get_immediate_data(struct iscsi_c
  60          */
  61         if (dump_payload)
  62                 goto after_immediate_data;
  63 +       /*
  64 +        * Check for underflow case where both EDTL and immediate data payload
  65 +        * exceeds what is presented by CDB's TRANSFER LENGTH, and what has
  66 +        * already been set in target_cmd_size_check() as se_cmd->data_length.
  67 +        *
  68 +        * For this special case, fail the command and dump the immediate data
  69 +        * payload.
  70 +        */
  71 +       if (cmd->first_burst_len > cmd->se_cmd.data_length) {
  72 +               cmd->sense_reason = TCM_INVALID_CDB_FIELD;
  73 +               goto after_immediate_data;
  74 +       }
  75
  76         immed_ret = iscsit_handle_immediate_data(cmd, hdr,
  77                                         cmd->first_burst_len);