git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Tony Battersby <tonyb@cybernetics.com>
	Mon, 10 Nov 2025 16:01:00 +0000 (11:01 -0500)
committer	Martin K. Petersen <martin.petersen@oracle.com>
	Wed, 12 Nov 2025 23:17:28 +0000 (18:17 -0500)
commit	091719c21d5aa0d461496de3e120cd864c5750a0
tree	a8842a461001d91d8b57d9424311d859c9237662	tree \| snapshot
parent	3d56983cc6f03aef05ab30f8cd16039c1db3c5e0	commit \| diff

scsi: qla2xxx: target: Fix invalid memory access with big CDBs

struct atio7_fcp_cmnd is a variable-length data structure because of
add_cdb_len, but it is embedded in struct atio_from_isp and copied
around like a fixed-length data structure.  For big CDBs > 16 bytes,
get_datalen_for_atio() called on a fixed-length copy of the atio will
access invalid memory.

In some cases this can be fixed by moving the atio to the end of the
data structure and using a variable-length allocation.  In other cases
such as allocating struct qla_tgt_cmd, the fixed-length data structures
are preallocated for speed, so in the case that add_cdb_len != 0,
allocate a separate buffer for the CDB.  Also add memcpy_atio() as a
safeguard against invalid memory accesses.

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/306a9d0b-3c89-42fc-a69c-eebca8171347@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

drivers/scsi/qla2xxx/qla_target.c		diff \| blob \| blame \| history
drivers/scsi/qla2xxx/qla_target.h		diff \| blob \| blame \| history