git.baikalelectronics.ru Git - kernel.git/commit

author	Lin Ma <linma@zju.edu.cn>
	Sun, 23 Jul 2023 08:00:53 +0000 (16:00 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 13 Sep 2023 07:42:52 +0000 (09:42 +0200)
commit	25feffb3fbd51ae81d92c65cebc0e932663828b3
tree	29349986b96f264f0a0a523a9c5a7d930e3f344d	tree \| snapshot
parent	1806edae979fe13356ce4337acfe9d67f896a251	commit \| diff

scsi: qla4xxx: Add length check when parsing nlattrs

[ Upstream commit 47cd3770e31df942e2bb925a9a855c79ed0662eb ]

There are three places that qla4xxx parses nlattrs:

- qla4xxx_set_chap_entry()

- qla4xxx_iface_set_param()

- qla4xxx_sysfs_ddb_set_param()

and each of them directly converts the nlattr to specific pointer of
structure without length checking. This could be dangerous as those
attributes are not validated and a malformed nlattr (e.g., length 0) could
result in an OOB read that leaks heap dirty data.

Add the nla_len check before accessing the nlattr data and return EINVAL if
the length check fails.

Fixes: 26ffd7b45fe9 ("[SCSI] qla4xxx: Add support to set CHAP entries")
Fixes: 1e9e2be3ee03 ("[SCSI] qla4xxx: Add flash node mgmt support")
Fixes: 00c31889f751 ("[SCSI] qla4xxx: fix data alignment and use nl helpers")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Link: https://lore.kernel.org/r/20230723080053.3714534-1-linma@zju.edu.cn
Reviewed-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>