drivers/target/iscsi/iscsi_target.c | 33 +++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-)
iscsit_setup_scsi_cmd() processes the Extended-CDB Additional Header
Segment (AHS) of a SCSI Command PDU without bounding AHSLength,
despite the long-standing "FIXME; Add checks for AdditionalHeaderSegment"
comment a few lines above in the same function.
A SCSI Command PDU sent after iSCSI Login with hlength=1,
ahstype=ISCSI_AHSTYPE_CDB and ahslength=0 reaches:
cdb = kmalloc(0 + 15, GFP_KERNEL); /* 15-byte alloc */
memcpy(cdb, hdr->cdb, ISCSI_CDB_SIZE); /* 16 -> 15 */
memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb,
be16_to_cpu(ecdb_ahdr->ahslength) - 1); /* (size_t)-1 */
On CONFIG_FORTIFY_SOURCE=y kernels the first memcpy is rejected by
__fortify_panic() because the declared destination size is 15:
memcpy: detected buffer overflow: 16 byte write of buffer size 15
kernel BUG at lib/string_helpers.c:1044!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:__fortify_panic+0xd/0xf
Call Trace:
iscsit_setup_scsi_cmd.cold+0x8c/0x224
iscsit_get_rx_pdu+0x9ec/0x1740
iscsi_target_rx_thread+0xf7/0x1f0
kthread+0x1b4/0x200
Kernel panic - not syncing: Fatal exception
On kernels without CONFIG_FORTIFY_SOURCE the first memcpy fits in the
kmalloc-16 slab object and execution reaches the second memcpy whose
size argument has wrapped to (size_t)-1.
Reproduced on Linux 7.0 with a malformed Command PDU sent after a
completed iSCSI Login. The trigger is reachable post-Login by any
initiator that successfully logged in (anonymous on demo-mode targets,
authenticated on CHAP-protected targets). No claim of RCE, LPE or
controlled write is made.
Validate, before any dereference and any allocation:
- the AHS area received from the socket holds at least the 4-byte
iscsi_ecdb_ahdr header,
- AHSLength is at least 1 (RFC 7143 §10.2.2.3 minimum for the ECDB
AHS, which carries one reserved byte),
- the declared AHSLength does not exceed the AHS bytes that were
actually received.
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
Cc: stable@vger.kernel.org
---
drivers/target/iscsi/iscsi_target.c | 33 +++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index e80449f6c..de291eb6f 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -1100,6 +1100,16 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn, struct iscsit_cmd *cmd,
cdb = hdr->cdb;
if (hdr->hlength) {
+ u16 ahslen;
+ unsigned int ahs_area_bytes = hdr->hlength * 4;
+
+ /* The AHS area must hold at least the iscsi_ecdb_ahdr
+ * header before any of its fields may be dereferenced.
+ */
+ if (ahs_area_bytes < sizeof(struct iscsi_ecdb_ahdr))
+ return iscsit_add_reject_cmd(cmd,
+ ISCSI_REASON_PROTOCOL_ERROR, buf);
+
ecdb_ahdr = (struct iscsi_ecdb_ahdr *) (hdr + 1);
if (ecdb_ahdr->ahstype != ISCSI_AHSTYPE_CDB) {
pr_err("Additional Header Segment type %d not supported!\n",
@@ -1108,14 +1118,29 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn, struct iscsit_cmd *cmd,
ISCSI_REASON_CMD_NOT_SUPPORTED, buf);
}
- cdb = kmalloc(be16_to_cpu(ecdb_ahdr->ahslength) + 15,
- GFP_KERNEL);
+ /* Per RFC 7143 §10.2.2.3 AHSLength counts the bytes of
+ * the AHS that follow the AHSType/AHSLength fields; for
+ * the ECDB AHS it includes one reserved byte, so the
+ * smallest legal value is 1. Rejecting 0 prevents the
+ * "ahslen - 1" memcpy size below from underflowing to
+ * (size_t)-1, and ensures the kmalloc(ahslen + 15) below
+ * is at least ISCSI_CDB_SIZE (16) so the first memcpy
+ * does not overflow. Also reject any AHSLength larger
+ * than the AHS bytes that actually reached us.
+ */
+ ahslen = be16_to_cpu(ecdb_ahdr->ahslength);
+ if (ahslen < 1 ||
+ ahslen - 1 > ahs_area_bytes -
+ offsetof(struct iscsi_ecdb_ahdr, ecdb))
+ return iscsit_add_reject_cmd(cmd,
+ ISCSI_REASON_PROTOCOL_ERROR, buf);
+
+ cdb = kmalloc(ahslen + 15, GFP_KERNEL);
if (cdb == NULL)
return iscsit_add_reject_cmd(cmd,
ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);
memcpy(cdb, hdr->cdb, ISCSI_CDB_SIZE);
- memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb,
- be16_to_cpu(ecdb_ahdr->ahslength) - 1);
+ memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb, ahslen - 1);
}
data_direction = (hdr->flags & ISCSI_FLAG_CMD_WRITE) ? DMA_TO_DEVICE :
base-commit: a293ec25d59dd96309058c70df5a4dd0f889a1e4
--
2.53.0
On 02/06/2026 04:16, Jeremy Erazo wrote:
> iscsit_setup_scsi_cmd() processes the Extended-CDB Additional Header
> Segment (AHS) of a SCSI Command PDU without bounding AHSLength,
> despite the long-standing "FIXME; Add checks for AdditionalHeaderSegment"
if this is being fixed, then why not remove the comment?
> comment a few lines above in the same function.
>
> A SCSI Command PDU sent after iSCSI Login with hlength=1,
> ahstype=ISCSI_AHSTYPE_CDB and ahslength=0 reaches:
>
> cdb = kmalloc(0 + 15, GFP_KERNEL); /* 15-byte alloc */
> memcpy(cdb, hdr->cdb, ISCSI_CDB_SIZE); /* 16 -> 15 */
> memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb,
> be16_to_cpu(ecdb_ahdr->ahslength) - 1); /* (size_t)-1 */
>
> On CONFIG_FORTIFY_SOURCE=y kernels the first memcpy is rejected by
> __fortify_panic() because the declared destination size is 15:
>
> memcpy: detected buffer overflow: 16 byte write of buffer size 15
> kernel BUG at lib/string_helpers.c:1044!
> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
> RIP: 0010:__fortify_panic+0xd/0xf
> Call Trace:
> iscsit_setup_scsi_cmd.cold+0x8c/0x224
> iscsit_get_rx_pdu+0x9ec/0x1740
> iscsi_target_rx_thread+0xf7/0x1f0
> kthread+0x1b4/0x200
> Kernel panic - not syncing: Fatal exception
>
> On kernels without CONFIG_FORTIFY_SOURCE the first memcpy fits in the
> kmalloc-16 slab object and execution reaches the second memcpy whose
> size argument has wrapped to (size_t)-1.
>
> Reproduced on Linux 7.0
Please post against latest mainline kernel / maintainer tree
> with a malformed Command PDU sent after a
> completed iSCSI Login. The trigger is reachable post-Login by any
> initiator that successfully logged in (anonymous on demo-mode targets,
> authenticated on CHAP-protected targets). No claim of RCE, LPE or
> controlled write is made.
>
> Validate, before any dereference and any allocation:
>
> - the AHS area received from the socket holds at least the 4-byte
> iscsi_ecdb_ahdr header,
> - AHSLength is at least 1 (RFC 7143 §10.2.2.3 minimum for the ECDB
> AHS, which carries one reserved byte),
> - the declared AHSLength does not exceed the AHS bytes that were
> actually received.
>
> Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
> Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
> Cc: stable@vger.kernel.org
> ---
> drivers/target/iscsi/iscsi_target.c | 33 +++++++++++++++++++++++++----
> 1 file changed, 29 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
> index e80449f6c..de291eb6f 100644
> --- a/drivers/target/iscsi/iscsi_target.c
> +++ b/drivers/target/iscsi/iscsi_target.c
> @@ -1100,6 +1100,16 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn, struct iscsit_cmd *cmd,
> cdb = hdr->cdb;
>
> if (hdr->hlength) {
> + u16 ahslen;
> + unsigned int ahs_area_bytes = hdr->hlength * 4;
> +
> + /* The AHS area must hold at least the iscsi_ecdb_ahdr
please use standard kernel coding style for comments
> + * header before any of its fields may be dereferenced.
> + */
> + if (ahs_area_bytes < sizeof(struct iscsi_ecdb_ahdr))
> + return iscsit_add_reject_cmd(cmd,
> + ISCSI_REASON_PROTOCOL_ERROR, buf);
ISCSI_AHSTYPE_RLENGTH means a smaller structure (than ecdb_ahdr), right?
If so, for ISCSI_AHSTYPE_RLENGTH type handling, the return code would be
ISCSI_REASON_PROTOCOL_ERROR and not ISCSI_REASON_CMD_NOT_SUPPORTED,
which does not seem proper.
> +> ecdb_ahdr = (struct iscsi_ecdb_ahdr *) (hdr + 1);
> if (ecdb_ahdr->ahstype != ISCSI_AHSTYPE_CDB) {
> pr_err("Additional Header Segment type %d not supported!\n",
> @@ -1108,14 +1118,29 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn, struct iscsit_cmd *cmd,
> ISCSI_REASON_CMD_NOT_SUPPORTED, buf);
> }
>
> - cdb = kmalloc(be16_to_cpu(ecdb_ahdr->ahslength) + 15,
> - GFP_KERNEL);
> + /* Per RFC 7143 §10.2.2.3 AHSLength counts the bytes of
> + * the AHS that follow the AHSType/AHSLength fields; for
> + * the ECDB AHS it includes one reserved byte, so the
> + * smallest legal value is 1. Rejecting 0 prevents the
> + * "ahslen - 1" memcpy size below from underflowing to
> + * (size_t)-1, and ensures the kmalloc(ahslen + 15) below
> + * is at least ISCSI_CDB_SIZE (16) so the first memcpy
> + * does not overflow. Also reject any AHSLength larger
> + * than the AHS bytes that actually reached us.
> + */
> + ahslen = be16_to_cpu(ecdb_ahdr->ahslength);
> + if (ahslen < 1 ||
> + ahslen - 1 > ahs_area_bytes -
> + offsetof(struct iscsi_ecdb_ahdr, ecdb))
please use {}
> + return iscsit_add_reject_cmd(cmd,
> + ISCSI_REASON_PROTOCOL_ERROR, buf);
> +
> + cdb = kmalloc(ahslen + 15, GFP_KERNEL);
> if (cdb == NULL)
> return iscsit_add_reject_cmd(cmd,
> ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);
> memcpy(cdb, hdr->cdb, ISCSI_CDB_SIZE);
> - memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb,
> - be16_to_cpu(ecdb_ahdr->ahslength) - 1);
> + memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb, ahslen - 1);
> }
>
> data_direction = (hdr->flags & ISCSI_FLAG_CMD_WRITE) ? DMA_TO_DEVICE :
>
> base-commit: a293ec25d59dd96309058c70df5a4dd0f889a1e4
© 2016 - 2026 Red Hat, Inc.