Re: [PATCH] scsi: fix shift out-of-bounds in sg_build_indirect The num variable is set to 0. The variable num gets its value from scatter_elem_sz. However the minimum value of scatter_elem_sz is PAGE_SHIFT. So setting num to PAGE_SIZE when num < PAGE_SIZE.
From: Khalid Aziz
Date: Mon Oct 06 2025 - 15:41:31 EST
On 10/6/25 11:46 AM, Kshitij Paranjape wrote:
Cc: <stable@xxxxxxxxxxxxxxx>
Reported-by: syzbot+270f1c719ee7baab9941@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=270f1c719ee7baab9941
Signed-off-by: Kshitij Paranjape <kshitijvparanjape@xxxxxxxxx>
---
drivers/scsi/sg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index effb7e768165..9ae41bb256d7 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1888,6 +1888,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size)
if (num < PAGE_SIZE) {
scatter_elem_sz = PAGE_SIZE;
scatter_elem_sz_prev = PAGE_SIZE;
+ num = scatter_elem_sz;
} else
scatter_elem_sz_prev = num;
}
Have you seen any issues caused by not setting num to PAGE_SIZE when num < PAGE_SIZE?
From what I can see, num is used to calculate the page order for allocation which will be 0 whether num=PAGE_SIZE or < PAGE_SIZE. After that num gets assigned a new value any way before its next use.
--
Khalid