From nobody Mon Jun  8 09:48:10 2026
Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com
 [209.85.222.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5BC731E855
	for <linux-kernel@vger.kernel.org>; Wed,  3 Jun 2026 22:52:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780527171; cv=none;
 b=skmA1mF0n515HRXX9yQbaG3qtd3ffRzrWbbdP+dsvxF/DX4cSxHy2JY9e22fXHInrPyTg8tAsNoYGASE57sNrGK+sl04sJ2ytfNM2lz+B8JOSSyxqD6AidRMNhm24+Ldio+6xuPCr9YiWlsIqKGbwSW1YiLU0hq6JNoWKGFxfbg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780527171; c=relaxed/simple;
	bh=qjorpjoies0yCKhFL/o3qCWHKHXvk50YcoRHmto6qrw=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=Rjw9MbIw6lYhMbbpvRWkLJjqZfO0bdzQqIHms4OTu85cV/TZ29/0NKNjsJ/pfUjWtbOkn7WAb4VJqTi1of2ASIWhlhGe4/+IHnEhxiTKu0FJPMZk7/dCnG9HERewFOwoCtvKckhaTknYFaqxWtBhIcSFYAxerzKw3kzhVw6QFi4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=trailofbits.com;
 spf=pass smtp.mailfrom=trailofbits.com;
 dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com
 header.b=f1TfE3MU; arc=none smtp.client-ip=209.85.222.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=trailofbits.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=trailofbits.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com
 header.b="f1TfE3MU"
Received: by mail-qk1-f181.google.com with SMTP id
 af79cd13be357-91563382bcfso17001985a.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 03 Jun 2026 15:52:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=trailofbits.com; s=google; t=1780527167; x=1781131967;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=vbl8rnY4ongUXS+ZU4aTOUz0VCkVMDkx1IEbiyAfVIE=;
        b=f1TfE3MU2neqpHVSmwonONBGUQv55Lf+6gZc0tH/iwIyUCJAyTM8pFtfnGvdLHaOse
         8bCcgntR7zH0/Wrl551qXI7tsIDvUD+nI9fmr+VVtAWCEZyPaRR40mUs7kp9Y5SzX8Xl
         ZDcCVEFYwHCVFHKS1DJaLyByj33eDtmDM2dlSkR0fapx8imvDlCM7dtIISke7xEPUwrK
         Yf8nSVgQn+w18HvL5ibxEPfSSdAlHcTjnbJnI1oJzzpd9RVzx6AdaCKwmSftf6LXeuiu
         nBwAiixiXifv2EOEkqnKmw3hn25nI3V70R23xWB1bjxtFq6fxqK77fs6Ay65p4agSoKX
         Kovw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780527167; x=1781131967;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=vbl8rnY4ongUXS+ZU4aTOUz0VCkVMDkx1IEbiyAfVIE=;
        b=o7K8ISrG3NRKNv7ZHveBESBWQk1H7VR1iCBRAfol2v+Ly6KIzcqEdRP/k0c27aUOuY
         8BBWbaIPpyVH5V2WAIpKx7AP/u1Kw6IQ8TW/IyesGTk3otrErMKavpCT9tMYWVq+VSZs
         4cTftaYsB6ugw1cVt7QZ/KDXA2p9QxpXaefQdYPNXRz+3Wmxgj/jYU/bELWYtz4u8Tf5
         jTVkExwmIlMQMIxzfvgqzfnTVyp+yApg+VQFQUfcKjQOdaNMyeQRbieOgS8zJEXckIn8
         xBl7hWXrVTgxe84qYpZFlkNXVDc+qGx6dubhmCLnxYv9hP30UdTGaSB0PYBbbILw37b3
         Dkzg==
X-Forwarded-Encrypted: i=1;
 AFNElJ+GJIZ2fGvzApFTxeXH54qvErg5Ga0c2ghy8FmXaDF/2MXCvwHq680tbZWxGugUjSgjVIjvyIKRX5CPa0U=@vger.kernel.org
X-Gm-Message-State: AOJu0YxfWGRSxTgf+0/MfT1MxA6zjEBu5TkPBMQ7ee9LuiQMLDVdKTRA
	9BBTEiYgNXtrVSNrIA8JN+348PJlcwquTQPL2IMO/HK9mMnrOz3GgBhUr4Bh5QSCWXE=
X-Gm-Gg: Acq92OEtYDla0X1h0fe5WTFCHbSdYdHvUNMn33QF8kkfD1v9rBLvWgiBETF4wxCcmSv
	NO5OaupvioVqSNS7eEKYOGxdisKGEUlhTcCbN2onHU4bMiIlpRMj/4aW77OKh4z61mkTXtK7YJ3
	WdfV8R6T22l2ahSlRE75mt1flm80yR9UDIKPIjbIMAsDb8NQrM8/9o2YLDJfB59qaR9UaKRsUzC
	d3BzrqHnRCmrUWlTJiV7p7tAFiv/ZJBy9/2f248OqT0Qr6QyZWDW17Yly6NFSW7KN2572YGv7T+
	0QurBdEKbA8ihzlMp1fflP6yGxT6JzWfiKPMvuJet6XjAPTOfA4scRTzeAyo9lueRo1qipXR8Kk
	7SFjxC7yH83CSc64rLU7E4ntPZZjPqxt+r1GTJ/FicxSvirc1UL97S8t0MZxzTggtME49AX4wSx
	ei4AGwCLlbVjwYfNJSL6XArn+plaEEuXOz/jiSMQ==
X-Received: by 2002:a05:620a:7081:b0:914:7b4f:cf5b with SMTP id
 af79cd13be357-9158a6a84bdmr940589385a.16.1780527166747;
        Wed, 03 Jun 2026 15:52:46 -0700 (PDT)
Received: from localhost ([161.35.96.86])
        by smtp.gmail.com with UTF8SMTPSA id
 af79cd13be357-9158a411333sm400540785a.46.2026.06.03.15.52.45
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 03 Jun 2026 15:52:46 -0700 (PDT)
From: Samuel Moelius <sam.moelius@trailofbits.com>
To: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
Cc: Samuel Moelius <sam.moelius@trailofbits.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	linux-scsi@vger.kernel.org (open list:SCSI SUBSYSTEM),
	linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] scsi: scsi_debug: avoid REPORT ZONES short-buffer overflow
Date: Wed,  3 Jun 2026 22:52:38 +0000
Message-ID: <20260603225239.102803-1-sam.moelius@trailofbits.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

REPORT ZONES allocation length is the initiator's receive buffer size,
not a minimum valid response size.  Short allocation lengths are valid:
an initiator may request only the first few bytes of the response before
issuing a larger request.

scsi_debug currently derives the number of descriptors from
alloc_len - RZONES_DESC_HD and allocates only alloc_len bytes.  For a
nonzero allocation length smaller than the report header, that
subtraction underflows and the handler can write header fields or zone
descriptors past the allocated buffer.

Keep accepting short allocation lengths, but allocate enough internal
space for the report header and only emit descriptors that fit after the
header.  Limit the transfer back to the initiator to the requested
allocation length.  Non-PARTIAL short requests still return the normal
leading report-length field, so 4-byte length probes continue to work.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
 drivers/scsi/scsi_debug.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 1515495fd9ea..6084257dabe1 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -5895,7 +5895,7 @@ static int resp_report_zones(struct scsi_cmnd *scp,
 {
 	unsigned int rep_max_zones, nrz =3D 0;
 	int ret =3D 0;
-	u32 alloc_len, rep_opts, rep_len;
+	u32 alloc_len, arr_len, rep_opts, rep_len;
 	bool partial;
 	u64 lba, zs_lba;
 	u8 *arr =3D NULL, *desc;
@@ -5919,9 +5919,14 @@ static int resp_report_zones(struct scsi_cmnd *scp,
 		return check_condition_result;
 	}
=20
-	rep_max_zones =3D (alloc_len - 64) >> ilog2(RZONES_DESC_HD);
+	if (alloc_len > RZONES_DESC_HD)
+		rep_max_zones =3D (alloc_len - RZONES_DESC_HD) >>
+				ilog2(RZONES_DESC_HD);
+	else
+		rep_max_zones =3D 0;
+	arr_len =3D RZONES_DESC_HD + rep_max_zones * RZONES_DESC_HD;
=20
-	arr =3D kzalloc(alloc_len, GFP_ATOMIC | __GFP_NOWARN);
+	arr =3D kzalloc(arr_len, GFP_ATOMIC | __GFP_NOWARN);
 	if (!arr) {
 		mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
 				INSUFF_RES_ASCQ);
--=20
2.43.0