From: Dan Carpenter <error27@gmail.com>
Date: Fri, 10 Apr 2026 10:14:52 +0000 (+0300)
Subject: scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a42ca4d2bff6306dd574a7897258fd02c2e6930;p=thirdparty%2Fkernel%2Flinux.git

scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()

The bounds checking in scsi_bsg_uring_cmd() does not work because
cmd->request_len is a u32 and scmd->cmd_len is a u16.  We check that
scmd->cmd_len is valid but if the cmd->request_len is more than
USHRT_MAX it would still lead to a buffer overflow when we do the
copy_from_user().

Fixes: 7b6d3255e7f8 ("scsi: bsg: add io_uring passthrough handler")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://patch.msgid.link/adjNnMYK7A7KMNkA@stanley.mountain
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/drivers/scsi/scsi_bsg.c b/drivers/scsi/scsi_bsg.c
index c3ce497a3b94f..e80dec53174ea 100644
--- a/drivers/scsi/scsi_bsg.c
+++ b/drivers/scsi/scsi_bsg.c
@@ -137,11 +137,11 @@ static int scsi_bsg_uring_cmd(struct request_queue *q, struct io_uring_cmd *iouc
 		return PTR_ERR(req);
 
 	scmd = blk_mq_rq_to_pdu(req);
-	scmd->cmd_len = cmd->request_len;
-	if (scmd->cmd_len > sizeof(scmd->cmnd)) {
+	if (cmd->request_len > sizeof(scmd->cmnd)) {
 		ret = -EINVAL;
 		goto out_free_req;
 	}
+	scmd->cmd_len = cmd->request_len;
 	scmd->allowed = SG_DEFAULT_RETRIES;
 
 	if (copy_from_user(scmd->cmnd, uptr64(cmd->request), cmd->request_len)) {