scsi: target: core: Fix integer overflow in UNMAP bounds check

sbc_execute_unmap() checks LBA + range does not exceed the device capacity,
but does not guard against LBA + range wrapping around on 64-bit overflow.

Add an overflow check matching the pattern already used for WRITE_SAME in
the same file.

Fixes: 86d7182985d2 ("target: Add sbc_execute_unmap() helper")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881593C61AD52C69FBDB0BDAF7CA@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index abe91dc8722e4c54be75a3a9f2e55e1395aac303..21f5cb86d70c0013e922cd53da325d328546d591 100644 (file)
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -1187,7 +1187,8 @@ sbc_execute_unmap(struct se_cmd *cmd)
                        goto err;
                }
 
-               if (lba + range > dev->transport->get_blocks(dev) + 1) {
+               if (lba + range < lba ||
+                   lba + range > dev->transport->get_blocks(dev) + 1) {
                        ret = TCM_ADDRESS_OUT_OF_RANGE;
                        goto err;
                }