Re: [PATCH v4] scsi: scsi_debug: fix REPORT ZONES alloc_len underflow OOB write

From: Damien Le Moal

Date: Mon Jul 13 2026 - 01:44:08 EST


On 7/13/26 03:37, Ibrahim Hashimov wrote:
> resp_report_zones() sizes the reply buffer from the CDB allocation
> length. The v3 fix rounds alloc_len up with ALIGN() before deriving the
> descriptor count:
>
> rep_max_zones = (ALIGN((u64)alloc_len, RZONES_DESC_HD) -
> RZONES_DESC_HD) >> ilog2(RZONES_DESC_HD);
> arr_len = (u64)RZONES_DESC_HD * (rep_max_zones + 1);
>
> For alloc_len in 0xFFFFFFC1..0xFFFFFFFF, ALIGN() rounds up to
> 0x100000000, so arr_len is 4 GB. On 32-bit, kzalloc()'s size_t is
> 32-bit and truncates 0x100000000 to 0; kzalloc(0) returns
> ZERO_SIZE_PTR, which passes the !arr check, and desc = arr + 64 is then
> dereferenced in the loop -> out-of-bounds write / panic.
>
> Clamp rep_max_zones to devip->nr_zones. The loop already stops at
> sdebug_capacity (after nr_zones zones), so a report can never hold more
> than nr_zones descriptors; the clamp does not change the report, it
> only bounds arr_len to (nr_zones + 1) * RZONES_DESC_HD, a real device
> property that can never reach 0x100000000.
>
> Fixes: 7db0e0c8190a ("scsi: scsi_debug: Fix buffer size of REPORT ZONES command")
> Suggested-by: Damien Le Moal <dlemoal@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Ibrahim Hashimov <security@xxxxxxxxxxxx>
> Assisted-by: AuditCode-AI:2026.07

Looks good.

Reviewed-by: Damien Le Moal <dlemoal@xxxxxxxxxx>

--
Damien Le Moal
Western Digital Research