Re: [PATCH] target: sbp: integer overflow and potential memory corruption

From: Martin K. Petersen
Date: Mon Feb 05 2024 - 17:16:00 EST

Next message: Ira Weiny: "RE: [PATCH 1/2 v2] cleanup: Add cond_guard() to conditional guards"
Previous message: Liam R. Howlett: "Re: [PATCH v2 3/3] userfaultfd: use per-vma locks in userfaultfd operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fullway,

> The code in sbp_make_tpg() is confusing because tpgt was limited
> to UINT_MAX but the datatype of tpg->tport_tpgt is actually u16.
> Correctly fix the data type problem to avoid integer overflow.
>
> This is similar to CVE-2015-4036 in the sense that sbp is a clone
> of vhost/scsi, and the bug was inherited but never fixed.

> +#define SBP_MAX_TARGET 256

Why 256?

--
Martin K. Petersen Oracle Linux Engineering

Next message: Ira Weiny: "RE: [PATCH 1/2 v2] cleanup: Add cond_guard() to conditional guards"
Previous message: Liam R. Howlett: "Re: [PATCH v2 3/3] userfaultfd: use per-vma locks in userfaultfd operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]