[PATCH next] scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()

Next message: Vishnu Reddy: "Re: [PATCH RFC 4/7] media: qcom: iris: vdec: update size and stride calculations for 10bit formats"
Previous message: Weiming Shi: "[PATCH nf] netfilter: nf_tables: use RCU-safe list primitives for basechain hook list"
Next in thread: Jens Axboe: "Re: [PATCH next] scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Fri Apr 10 2026 - 06:15:34 EST

The bounds checking in scsi_bsg_uring_cmd() does not work because
cmd->request_len is a u32 and scmd->cmd_len is a u16. We check that
scmd->cmd_len is valid but if the cmd->request_len is more than
USHRT_MAX it would still lead to a buffer overflow when we do the
copy_from_user().

Fixes: 7b6d3255e7f8 ("scsi: bsg: add io_uring passthrough handler")
Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
---
This email is a free service from the Smatch-CI project [smatch.sf.net].

drivers/scsi/scsi_bsg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/scsi_bsg.c b/drivers/scsi/scsi_bsg.c
index c3ce497a3b94..e80dec53174e 100644
--- a/drivers/scsi/scsi_bsg.c
+++ b/drivers/scsi/scsi_bsg.c
@@ -137,11 +137,11 @@ static int scsi_bsg_uring_cmd(struct request_queue *q, struct io_uring_cmd *iouc
return PTR_ERR(req);

scmd = blk_mq_rq_to_pdu(req);
- scmd->cmd_len = cmd->request_len;
- if (scmd->cmd_len > sizeof(scmd->cmnd)) {
+ if (cmd->request_len > sizeof(scmd->cmnd)) {
ret = -EINVAL;
goto out_free_req;
}
+ scmd->cmd_len = cmd->request_len;
scmd->allowed = SG_DEFAULT_RETRIES;

if (copy_from_user(scmd->cmnd, uptr64(cmd->request), cmd->request_len)) {
--
2.53.0