From nobody Sat Jun 13 11:55:23 2026 Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 585FE3F9F39 for ; Thu, 7 May 2026 14:33:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778164402; cv=none; b=TBo3mKWrGBuCN2P8lZszuPem0EfkEp9cUu7XgtEWelh4XBiAqkuyU2wzNGiNLEJhGzZZojB5Vt0TQSafPtRUuVgmPJRFlckDU9wQdcf/WvoAobLg9YJE1tHOlltNXuI8/cHTt9wMt/SU2D1w6v+YYUJAWkLGkhjenylTb6ru7GI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778164402; c=relaxed/simple; bh=/n+7llmepQAvJ5J8m7gmaT9JZWY/jvh+7hnDojvXqTw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=Ak5WlHWvLtlTbWGPxdicehspJssfq+MAq5zIoz6QczDVvVW9PYuduyVVrdcXC9ByzE+6H4egR4ITK75IPclGWOiFJ2/geaS8fRKlRL7QsdnPUKSINsR0mnTgaozVpXMWzJDH0Hrw5H2UYZY6ytfBf4aqr6dBGxsD59N3JWyfWzA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=qiMsEF8L; arc=none smtp.client-ip=209.85.222.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="qiMsEF8L" Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-8d933da14f0so97198385a.2 for ; Thu, 07 May 2026 07:33:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778164398; x=1778769198; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=5kzcSdsCpo5Y3mn41POdySZcZFAGaT53MIAxz0TRGE0=; b=qiMsEF8L1E88iiuA5BvbiIgz8FiS+bFiAP4TF+bxCN5utzEYD0M4/OpGHvpMsOBo8u OEspr1NQCQoVplh+6Uw3fcKghu/ULNj1DOtozo+9PCHS2UQLdWexGIuVRUr5d7LrYGal a/mCmXVfsyUKkrX9w3jSFZeqHwWWzVfDwkAU8kJarTboXO7xiAwus5W0XbFAFZiD9vaC JykfBYLaV7fSg1EyG4LKkh9KjXl1Zw21ClOeOTBeywStGjjerJLQwi/J16xnxdvghj2M vr7AXA5JQ178AqePauHy9qFLiQm09boHMTdvQ+/cJn/byeCkCwD5RJ752SgEqIw6vd3m /ViA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778164398; x=1778769198; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5kzcSdsCpo5Y3mn41POdySZcZFAGaT53MIAxz0TRGE0=; b=YKDryMT4uGnOhM37GvsK6yFMzRkkRhE4xoGVcITuVZXXhbZUah9HBvfjINzj4oGcx0 /i7GuphyaRfNNs1+JgGe0UV2noEsBq9dAhA7dhqdgZ2P8taWcpdGhMfcRXRY6DSATx49 7HfwWkUOzo7wR0s/p99aBmxDkgAp6S4TImT4DgDeVYyInpDUJShDtrC9FFBEO74hIwjJ ccBDZW7rRCjWQ1Il5EJOWwxC514dIN/4I8T/AtpP91MtsiNz4il2UuS+Musv7E0q142p 3KrcsLWr5sdvW/tDlr5ukOiPX9XfCbSBaR8v0b4yO0WAWW6RnDY5CgP3rjRP+AseGjX0 QZbw== X-Forwarded-Encrypted: i=1; AFNElJ/GVM4dafsqqC9g6wvlQ+szRug59u5EhyrFAuz6+l/BVlMhKtJT0dvXCGXqvjg9qKtY5I/NiVdsgK67kuU=@vger.kernel.org X-Gm-Message-State: AOJu0YxNgWkWtgswMNlVAg0P9/+hEhXBxj4BMahQ3RvxlinRj8asSKFD xRBw+663y6rD4oyIv34UiHAcBdfIEHs3D3lFhlY/0PQSX2DbapBvcE/W X-Gm-Gg: AeBDievqnU3/OeQKBtWK0AmmK87/EO64k7AwyaMu8tdws7JEo6W/ojSN259f+1j/mD/ BSRjsu7391rLZSeLC1uju73ND5RUhOVWqGnVE6VQzZtpzfNjzrgTlQQ/b4ACyz1VyUqpIxh5yso dQq9IzsSdKZlYEoIXcSY11WaRU/Gs5ypitW0mqPgQ9SbhsLbXovJxWIR8f+gNphP+4nc3qD30HB T2Cp58T9KMJqDep56cy8i1XIcjCXO/kkU3YaxMR0eCs2fKUSfhEr8gwWj0pOWcmK8NbodHVtcU/ dqH07PFI/Zf9hoCp+vEWbFMmr2fiILupXKFELg0ChuZunt+6xMqKvKHpGfvttGVdEA5TaPSOYv8 oZJQjCRV9wo9uanZqw70wy23O/6Nxu/ppwbKuHJsdJplq6k5KJU3iJu9dEe855j1l0pKwr1F6LA 4qKNPBqFiqCEvuWFDs/cHw2OTbJIhW0R85kVnRdaJ+KifFi9ZBSfZ59GiuueKMGe6a0MIUMOKCm YYoNh8Vp8nCSLinmS9nk4WCLg== X-Received: by 2002:a05:622a:59ce:b0:50f:bd51:f1d2 with SMTP id d75a77b69052e-514621d1bfdmr103573311cf.50.1778164397873; Thu, 07 May 2026 07:33:17 -0700 (PDT) Received: from jeremy.kali (srv1619992.hstgr.cloud. [2a02:4780:75:55a3::1]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-51040b80a4dsm175420501cf.24.2026.05.07.07.33.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2026 07:33:17 -0700 (PDT) From: "Jeremy Erazo (Devel Group)" To: "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org, target-devel@vger.kernel.org, linux-kernel@vger.kernel.org, "Jeremy Erazo (Devel Group)" , stable@vger.kernel.org Subject: [PATCH] scsi: target: iscsi: validate ECDB AHS length Date: Thu, 7 May 2026 14:25:59 +0000 Message-ID: <20260507142559.2373177-1-mendozayt13@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable iscsit_setup_scsi_cmd() processes the Extended-CDB Additional Header Segment (AHS) of a SCSI Command PDU without bounding AHSLength, despite the long-standing "FIXME; Add checks for AdditionalHeaderSegment" comment a few lines above in the same function. A SCSI Command PDU sent after iSCSI Login with hlength=3D1, ahstype=3DISCSI_AHSTYPE_CDB and ahslength=3D0 reaches: cdb =3D kmalloc(0 + 15, GFP_KERNEL); /* 15-byte alloc */ memcpy(cdb, hdr->cdb, ISCSI_CDB_SIZE); /* 16 -> 15 */ memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb, be16_to_cpu(ecdb_ahdr->ahslength) - 1); /* (size_t)-1 */ On CONFIG_FORTIFY_SOURCE=3Dy kernels the first memcpy is rejected by __fortify_panic() because the declared destination size is 15: memcpy: detected buffer overflow: 16 byte write of buffer size 15 kernel BUG at lib/string_helpers.c:1044! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:__fortify_panic+0xd/0xf Call Trace: iscsit_setup_scsi_cmd.cold+0x8c/0x224 iscsit_get_rx_pdu+0x9ec/0x1740 iscsi_target_rx_thread+0xf7/0x1f0 kthread+0x1b4/0x200 Kernel panic - not syncing: Fatal exception On kernels without CONFIG_FORTIFY_SOURCE the first memcpy fits in the kmalloc-16 slab object and execution reaches the second memcpy whose size argument has wrapped to (size_t)-1. Reproduced on Linux 7.0 with a malformed Command PDU sent after a completed iSCSI Login. The trigger is reachable post-Login by any initiator that successfully logged in (anonymous on demo-mode targets, authenticated on CHAP-protected targets). No claim of RCE, LPE or controlled write is made. Validate, before any dereference and any allocation: - the AHS area received from the socket holds at least the 4-byte iscsi_ecdb_ahdr header, - AHSLength is at least 1 (RFC 7143 =C2=A710.2.2.3 minimum for the ECDB AHS, which carries one reserved byte), - the declared AHSLength does not exceed the AHS bytes that were actually received. Reported-by: Jeremy Erazo (trexnegr0) Signed-off-by: Jeremy Erazo (Devel Group) Cc: stable@vger.kernel.org --- drivers/target/iscsi/iscsi_target.c | 33 +++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/isc= si_target.c index e80449f6c..de291eb6f 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -1100,6 +1100,16 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn, = struct iscsit_cmd *cmd, cdb =3D hdr->cdb; =20 if (hdr->hlength) { + u16 ahslen; + unsigned int ahs_area_bytes =3D hdr->hlength * 4; + + /* The AHS area must hold at least the iscsi_ecdb_ahdr + * header before any of its fields may be dereferenced. + */ + if (ahs_area_bytes < sizeof(struct iscsi_ecdb_ahdr)) + return iscsit_add_reject_cmd(cmd, + ISCSI_REASON_PROTOCOL_ERROR, buf); + ecdb_ahdr =3D (struct iscsi_ecdb_ahdr *) (hdr + 1); if (ecdb_ahdr->ahstype !=3D ISCSI_AHSTYPE_CDB) { pr_err("Additional Header Segment type %d not supported!\n", @@ -1108,14 +1118,29 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn,= struct iscsit_cmd *cmd, ISCSI_REASON_CMD_NOT_SUPPORTED, buf); } =20 - cdb =3D kmalloc(be16_to_cpu(ecdb_ahdr->ahslength) + 15, - GFP_KERNEL); + /* Per RFC 7143 =C2=A710.2.2.3 AHSLength counts the bytes of + * the AHS that follow the AHSType/AHSLength fields; for + * the ECDB AHS it includes one reserved byte, so the + * smallest legal value is 1. Rejecting 0 prevents the + * "ahslen - 1" memcpy size below from underflowing to + * (size_t)-1, and ensures the kmalloc(ahslen + 15) below + * is at least ISCSI_CDB_SIZE (16) so the first memcpy + * does not overflow. Also reject any AHSLength larger + * than the AHS bytes that actually reached us. + */ + ahslen =3D be16_to_cpu(ecdb_ahdr->ahslength); + if (ahslen < 1 || + ahslen - 1 > ahs_area_bytes - + offsetof(struct iscsi_ecdb_ahdr, ecdb)) + return iscsit_add_reject_cmd(cmd, + ISCSI_REASON_PROTOCOL_ERROR, buf); + + cdb =3D kmalloc(ahslen + 15, GFP_KERNEL); if (cdb =3D=3D NULL) return iscsit_add_reject_cmd(cmd, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); memcpy(cdb, hdr->cdb, ISCSI_CDB_SIZE); - memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb, - be16_to_cpu(ecdb_ahdr->ahslength) - 1); + memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb, ahslen - 1); } =20 data_direction =3D (hdr->flags & ISCSI_FLAG_CMD_WRITE) ? DMA_TO_DEVICE : base-commit: a293ec25d59dd96309058c70df5a4dd0f889a1e4 --=20 2.53.0