Re: [PATCH next] scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()

Next message: Zhang Peng: "[PATCH v3 5/5] mm/vmscan: flush TLB for every 31 folios evictions"
Previous message: Gao Xiang: "Re: erofs pointer corruption and kernel crash"
In reply to: Dan Carpenter: "[PATCH next] scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Fri Apr 10 2026 - 08:52:59 EST

On Fri, 10 Apr 2026 13:14:52 +0300, Dan Carpenter wrote:
> The bounds checking in scsi_bsg_uring_cmd() does not work because
> cmd->request_len is a u32 and scmd->cmd_len is a u16. We check that
> scmd->cmd_len is valid but if the cmd->request_len is more than
> USHRT_MAX it would still lead to a buffer overflow when we do the
> copy_from_user().
>
>
> [...]

Applied, thanks!

[1/1] scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd()
commit: 0a42ca4d2bff6306dd574a7897258fd02c2e6930

Best regards,
--
Jens Axboe