From nobody Mon Jun 8 04:20:18 2026 Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A37801B4F1F for ; Tue, 2 Jun 2026 03:16:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780370218; cv=none; b=LhCv41gSuftGe4XK3qhyxGu2tYMdcyIFgkB9T/EtjFYI56gDD2w+sL4fZZ3JHMjRo3ftPe+arfmEJE0UTOE5cBLg8pG1mnyR/AuDWkRJhhvPbCUiVpNK1UAODPmfH7J1/H3p8a2IjfLQ/mAst3Ki4V+k+gcmiDn8DuXvXZFQ+IE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780370218; c=relaxed/simple; bh=cLRlkManztla3hkrQwphKDvEJLPU7dof2kesfO+g/bg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=AQJCzKE6iPlNoD+/HCl0Cmoiki52AHkdlfqAoYsxkRpz5tsulv1PNiBqCKbH6/VuqbS6Imk5qis63lkIGMeZEIfz/+Z188mPqi2zuLv/oCP/mI0sfIpD5U5Au1LyJDNT5wYfWINQq75Xt0pU/miiI+W0y3oVyT3d5sDbvcA4v9A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hF5NBcro; arc=none smtp.client-ip=209.85.219.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hF5NBcro" Received: by mail-qv1-f47.google.com with SMTP id 6a1803df08f44-8ccf0fa0aacso49168916d6.2 for ; Mon, 01 Jun 2026 20:16:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780370216; x=1780975016; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=2rvp4uMJYJLjkVFMFUq0IQ2nbL1Lu2+k0H7Lh2NiUUU=; b=hF5NBcro3Bp0segdLi6nKgC8nt1tqTxB8gvDcvi11c/UA9xyW+EBPotcymZDjzfSTp 9NYZ2qcCs8X3qVb+14o4+aSYiS7TS0LVjZT55V8sHPUyEV0Y3h5ntCXfA1uYX2j4cUpk OvjNyNVaA/oD/R0LYFhnjhaPkYwehvVKbBQuUxIU9wltmjPAq1g/MxFL4ka9eGWVPEcq XA9n3tCIKEw16NvkGjoys+lNlLpKbyeEOpyBN6HMN8skvj5Oo6AkYuqbwXY28iZt9Xwx uHMLnM6Q7cvGV0WOnATsQBU+dfJ+PFGxcZERq+6eYNU3XKyTA6+V7NnfeUelt7aYxk1h IWcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780370216; x=1780975016; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=2rvp4uMJYJLjkVFMFUq0IQ2nbL1Lu2+k0H7Lh2NiUUU=; b=D3tGWrZxnn6y7B0NQMHJXqjmDRHDBQElDbP8VDuUupByPBGAbhNqxlWD8X9owWT88u 6V3Hs6R4zSbahbjvjW5glTy16XzDPMg2cLRazeUEKDBUiG1sDhRlDesXVMWjaYNXIiK9 LjG9upuaQh4AXTzfQ0fCFUq+YHNeqRTMGy6JZTiXQCVbET3ZuGAZeOWcMBLGvyKMukNm 4iPk153Nk6VCtA/alSnWgTH1MTsCwC5vp1kDRUyFjbUttBTrMp4pA9GVMCAqgc5sniO0 /fWsnq1f3RbifLWnSqLVqn6EMBEsGIlzbErp2C0SCc/U833W8yyexBmmMvpPf1zNyVQE jF7A== X-Forwarded-Encrypted: i=1; AFNElJ8Tkq1ZXewWGyLLrkW63xkiV18kaFkwdLtHeHhpEl1/Ii4xPt78OqgMpoNbh8wFT0r/Ee99IC5hWDvS1nw=@vger.kernel.org X-Gm-Message-State: AOJu0YxKAFT/xSJ7KEz78fm+RB7kpE9GJCg/rZNA6U9uxn4dkzjzeAO3 ZSPYue0DIDQVvzfPMCCsfFj9hftmS5BAnU2AGygomdIPQaNA6+9wrjbi X-Gm-Gg: Acq92OFo9AnI2VR2kH3L05nzCGoklKii6CSPUrRx/CBEgVJZruXod/byOBBiUfPxchr OEWanwOmW/UBQKlXzK1TqkuCp+oIxeAfufA5qPHYZEboe8KUxsZ3e899nxQN/BZtN/aGt6O6R1h 357NLyaEVwdtlX7masWgFPuLibh+gkD5Qp0RifVgdt5diuOR5sFNc9UKOuLkHGyRX2xskCvu1Jo wZsEghZuWLiYxx1+jVSKoe8RYHTpcpE6oD2XVmJ4/zemnPShxzn5aLBIYFBLCGIeSLAYJ+11HLe WQ0VTID9HgGEa3e9nuYk6Ee+CIHEm3JEH+6VpyF1Fz4Evfk0K8/zLYYN28rKGwnJ3RgFhwN9NMf zbvY0s3PB7VZg3yyrGTvwMZw4acv+wSdbRuz2ZA9BE5nrMKQgP2T74in7Q5xNvUxQ4RbgB6TbsL iC7wv7dSpCw4K1tX9bMA6Aysd1V0HdGIIdozjjI75+KldCL3KOfTYtJSo4PUsXZY6NMiDtjBoAZ pkAU7SEV+JcGbd66U5ilTYqBQ== X-Received: by 2002:a05:6214:5404:b0:8bd:de6d:c340 with SMTP id 6a1803df08f44-8ccefd9355bmr243183826d6.26.1780370215578; Mon, 01 Jun 2026 20:16:55 -0700 (PDT) Received: from jeremy.kali (srv1619992.hstgr.cloud. [2a02:4780:75:55a3::1]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8ccea231e12sm108881986d6.41.2026.06.01.20.16.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jun 2026 20:16:55 -0700 (PDT) From: Jeremy Erazo To: target-devel@vger.kernel.org, linux-scsi@vger.kernel.org Cc: "Martin K . Petersen" , Vincent Donnefort , John Garry , Mike Christie , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH] scsi: target: iscsi: validate ECDB AHS length Date: Tue, 2 Jun 2026 03:16:54 +0000 Message-ID: <20260602031654.3462944-1-mendozayt13@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable iscsit_setup_scsi_cmd() processes the Extended-CDB Additional Header Segment (AHS) of a SCSI Command PDU without bounding AHSLength, despite the long-standing "FIXME; Add checks for AdditionalHeaderSegment" comment a few lines above in the same function. A SCSI Command PDU sent after iSCSI Login with hlength=3D1, ahstype=3DISCSI_AHSTYPE_CDB and ahslength=3D0 reaches: cdb =3D kmalloc(0 + 15, GFP_KERNEL); /* 15-byte alloc */ memcpy(cdb, hdr->cdb, ISCSI_CDB_SIZE); /* 16 -> 15 */ memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb, be16_to_cpu(ecdb_ahdr->ahslength) - 1); /* (size_t)-1 */ On CONFIG_FORTIFY_SOURCE=3Dy kernels the first memcpy is rejected by __fortify_panic() because the declared destination size is 15: memcpy: detected buffer overflow: 16 byte write of buffer size 15 kernel BUG at lib/string_helpers.c:1044! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:__fortify_panic+0xd/0xf Call Trace: iscsit_setup_scsi_cmd.cold+0x8c/0x224 iscsit_get_rx_pdu+0x9ec/0x1740 iscsi_target_rx_thread+0xf7/0x1f0 kthread+0x1b4/0x200 Kernel panic - not syncing: Fatal exception On kernels without CONFIG_FORTIFY_SOURCE the first memcpy fits in the kmalloc-16 slab object and execution reaches the second memcpy whose size argument has wrapped to (size_t)-1. Reproduced on Linux 7.0 with a malformed Command PDU sent after a completed iSCSI Login. The trigger is reachable post-Login by any initiator that successfully logged in (anonymous on demo-mode targets, authenticated on CHAP-protected targets). No claim of RCE, LPE or controlled write is made. Validate, before any dereference and any allocation: - the AHS area received from the socket holds at least the 4-byte iscsi_ecdb_ahdr header, - AHSLength is at least 1 (RFC 7143 =C2=A710.2.2.3 minimum for the ECDB AHS, which carries one reserved byte), - the declared AHSLength does not exceed the AHS bytes that were actually received. Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.= 1") Signed-off-by: Jeremy Erazo Cc: stable@vger.kernel.org --- drivers/target/iscsi/iscsi_target.c | 33 +++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/isc= si_target.c index e80449f6c..de291eb6f 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -1100,6 +1100,16 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn, = struct iscsit_cmd *cmd, cdb =3D hdr->cdb; =20 if (hdr->hlength) { + u16 ahslen; + unsigned int ahs_area_bytes =3D hdr->hlength * 4; + + /* The AHS area must hold at least the iscsi_ecdb_ahdr + * header before any of its fields may be dereferenced. + */ + if (ahs_area_bytes < sizeof(struct iscsi_ecdb_ahdr)) + return iscsit_add_reject_cmd(cmd, + ISCSI_REASON_PROTOCOL_ERROR, buf); + ecdb_ahdr =3D (struct iscsi_ecdb_ahdr *) (hdr + 1); if (ecdb_ahdr->ahstype !=3D ISCSI_AHSTYPE_CDB) { pr_err("Additional Header Segment type %d not supported!\n", @@ -1108,14 +1118,29 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn,= struct iscsit_cmd *cmd, ISCSI_REASON_CMD_NOT_SUPPORTED, buf); } =20 - cdb =3D kmalloc(be16_to_cpu(ecdb_ahdr->ahslength) + 15, - GFP_KERNEL); + /* Per RFC 7143 =C2=A710.2.2.3 AHSLength counts the bytes of + * the AHS that follow the AHSType/AHSLength fields; for + * the ECDB AHS it includes one reserved byte, so the + * smallest legal value is 1. Rejecting 0 prevents the + * "ahslen - 1" memcpy size below from underflowing to + * (size_t)-1, and ensures the kmalloc(ahslen + 15) below + * is at least ISCSI_CDB_SIZE (16) so the first memcpy + * does not overflow. Also reject any AHSLength larger + * than the AHS bytes that actually reached us. + */ + ahslen =3D be16_to_cpu(ecdb_ahdr->ahslength); + if (ahslen < 1 || + ahslen - 1 > ahs_area_bytes - + offsetof(struct iscsi_ecdb_ahdr, ecdb)) + return iscsit_add_reject_cmd(cmd, + ISCSI_REASON_PROTOCOL_ERROR, buf); + + cdb =3D kmalloc(ahslen + 15, GFP_KERNEL); if (cdb =3D=3D NULL) return iscsit_add_reject_cmd(cmd, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); memcpy(cdb, hdr->cdb, ISCSI_CDB_SIZE); - memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb, - be16_to_cpu(ecdb_ahdr->ahslength) - 1); + memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb, ahslen - 1); } =20 data_direction =3D (hdr->flags & ISCSI_FLAG_CMD_WRITE) ? DMA_TO_DEVICE : base-commit: a293ec25d59dd96309058c70df5a4dd0f889a1e4 --=20 2.53.0