From nobody Sat Apr 4 01:47:50 2026 Received: from mail-qt1-f175.google.com (mail-qt1-f175.google.com [209.85.160.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E09C318B83 for ; Sat, 21 Mar 2026 03:38:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774064295; cv=none; b=isiJOotb+oNgaAyipB6rOblgViFE3GKtBsi9hCU5F437/ZnbDmUwtOARdWqPYo9jI7u2Pt71RtbqsnUTOgkPIjJgbEjE/dKbR9XNntZYEJrmkyfoPw/7DJGSVv9ukwDspEkmLQrI9rLGWxEPHncXDMvc4Y5NIjTF6p/nTqp0BUk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774064295; c=relaxed/simple; bh=Kz1ZCjKgB0sIdJi4IBnkiL2gSeKn6AkhNJ04EPbvHWY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=rpymRoXwyew4BAkmxbJwXQjTTLaAa9dzEKUjqIu2Pht1973RC7JL7v67cTn1X38gmEGNtsItIEemFzL3no38Afr9AenJetZAhPpoz/VH2wlQY7dhfWcbY67baYym0/gRX6gRv25fmgt5CmFR4IJMJZw14DjPPWQjL3sitrsNnjk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Z5IbJFLT; arc=none smtp.client-ip=209.85.160.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Z5IbJFLT" Received: by mail-qt1-f175.google.com with SMTP id d75a77b69052e-506aa68065eso23896911cf.1 for ; Fri, 20 Mar 2026 20:38:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774064292; x=1774669092; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=6B2CDNY7UG/sAWansjMq2Hcz4vu6SmMLIBCAlbIfga0=; b=Z5IbJFLTDooqFZ1Ad+Xyfga/Bmy2/EUbgeVDDqzh64b8eFmWuc0pe2uJxzp5T80UHD bJENOa1PeU+WtbUWnNJ8Bv8sjpTclorvubBwSkw2K76R3AO9Yob0bRWulfIG9CpOjoax LoVzRAuFBxC3d86MNu98cdU+Xi6eiVpvFFF2CsQL4A1OhQY2fH6niqggCVPOZnaCcWrp hXkE85tfCovAU77RxISmRaCcky0yChf0C0fXFSMAgt6X39OOmyTM8ZnNkIBa6a2IQ2re 4L5i5juOrd9Np9nKNld10haq1Cz55GOWak7LG7fFhSTwN/a01uWOcaZHrgD0jTNcOM19 e8pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774064292; x=1774669092; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=6B2CDNY7UG/sAWansjMq2Hcz4vu6SmMLIBCAlbIfga0=; b=XvRu1YQWfZdr7akb3bZQXczZtR1JqRAryfYaaCD1eiuGgBH5HpHnntOOBPiu20YLlH 9tz8mjzO+A83knYmTDrEGdaawqQbw293qQWjNUbzB5cKtbRAKWpBHq9TwdulFWEGJR2Q rAKkE+4s9EBU99Ec3s1zmMU7ebwn7Y13c5/X6vLsx3YgSh/F9qldyU3LL5mFglxC7r0o zhseZDxDoKgJ9l6+QiJp7FVpA44fsJzaTgvdiYiyDILl6w8MmZFrE6AgO/nO1LwHPyG4 0z37k3SeStbQaxSXNIRhEaU1dAHOQvKXHt101HJQxteth/XS7BE5BwEBztHEPWqUFm/b 7+HA== X-Forwarded-Encrypted: i=1; AJvYcCUsElVMrVMyzZj4YD7zjv5SU8vKB7fVryhwFTjguLzZnsyEIElXPdHtsmehqX7faw78ja3HiMI1QnHgFqQ=@vger.kernel.org X-Gm-Message-State: AOJu0YymCwgyDNsk8jd3WOvjNwKlR96w7Ok9lsJPfh2RdHYNoqM/XaI8 5d5xd3FbnFgrPy3ksoYCcrVFkJ5ZXEH+wYWl1MDPJbM/bxq3IV2y4L5R X-Gm-Gg: ATEYQzwcwURqqU9cuwTUCbItEZwKMHirX6zhI5lOQ03yj56ftAeZUXw+JCxEV5ymcgs lkNovP6hyxbIQWUqD/+Em0jVayJf42Xw0cOUq8DEWGXCGwoYLWielVwPIulz/kREg3kVGLfV5h5 xY9CtEoCk5ckf+9UJrpUsxIovNxCUz+clPizWKPWCmOrjpDHITOtOfCuXwMAoj4t9bvIx9fwWgc 2ecL9wL8eS7oOblBQ30dF77wp1Xh9K894s9Z5BUd7KOupuWoiKuMTx4GgSkH35wrfqC0oh2LUHK W+Q0bfteF8tIfIBCk751KCPgzN6g5+GfhRr2lrpUNyO4CExBAWSYlhvOcFdBvgpi4k8AGR5yr45 gP3/Zc8s7e81xHdRbQhN7umFRqBSVMalJ1DNqBzgwpoNOJY1whYBJ7d8H7zYnD2LjvuEhQTOaV3 2xVifLI40N66EVnk4wtpH9FY1Tuy8xYA1gjBCyoLeqOFSWZsV+2rTmbnwJx0/835joLmXAPizda h6k X-Received: by 2002:ac8:5a91:0:b0:506:8738:651d with SMTP id d75a77b69052e-50b37599714mr83159151cf.62.1774064292055; Fri, 20 Mar 2026 20:38:12 -0700 (PDT) Received: from CS-396-Lab-Machine.. (c-24-12-10-127.hsd1.il.comcast.net. [24.12.10.127]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-50b36e9abd8sm32406071cf.27.2026.03.20.20.38.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Mar 2026 20:38:11 -0700 (PDT) From: Tyllis Xu X-Google-Original-From: Tyllis Xu To: tyreld@linux.ibm.com, martin.petersen@oracle.com Cc: James.Bottomley@HansenPartnership.com, maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com, chleroy@kernel.org, linux-scsi@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, danisjiang@gmail.com, ychen@northwestern.edu, Tyllis Xu Subject: [PATCH] scsi: ibmvfc: fix out-of-bounds write in ibmvfc_channel_setup_done Date: Fri, 20 Mar 2026 22:37:54 -0500 Message-ID: <20260321033754.899928-1-LivelyCarpet87@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In ibmvfc_channel_setup_done(), the firmware-supplied num_scsi_subq_channels from the MAD response buffer is assigned directly to active_queues without being validated against scrqs->max_queues, the allocated size of the scrqs->scrqs[] array. A malicious or compromised hypervisor can supply a value larger than max_queues, causing the loop to write attacker-controlled 64-bit cookie values beyond the end of the heap-allocated queue array and corrupting adjacent kernel memory. Use min_t(u32, ...) rather than min_t(int, ...) to clamp active_queues. The firmware field is a __be32 whose decoded value is assigned to an int; a value exceeding INT_MAX would produce a negative int that min_t(int) would pass through unchanged, storing UINT_MAX into the unsigned int scrqs->active_queues. Using u32 arithmetic ensures any out-of-range value is correctly clamped to max_queues regardless of sign. Fixes: b88a5d9b7f56 ("scsi: ibmvfc: Register Sub-CRQ handles with VIOS duri= ng channel setup") Reported-by: Yuhao Jiang Cc: stable@vger.kernel.org Signed-off-by: Tyllis Xu --- drivers/scsi/ibmvscsi/ibmvfc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c index a20fce04fe79..5694530c4b2f 100644 --- a/drivers/scsi/ibmvscsi/ibmvfc.c +++ b/drivers/scsi/ibmvscsi/ibmvfc.c @@ -5039,6 +5039,7 @@ static void ibmvfc_channel_setup_done(struct ibmvfc_e= vent *evt) flags =3D be32_to_cpu(setup->flags); vhost->do_enquiry =3D 0; active_queues =3D be32_to_cpu(setup->num_scsi_subq_channels); + active_queues =3D min_t(u32, active_queues, scrqs->max_queues); scrqs->active_queues =3D active_queues; =20 if (flags & IBMVFC_CHANNELS_CANCELED) { --=20 2.43.0