Re: [PATCH] scsi: ibmvfc: fix OOB access in ibmvfc_discover_targets_done()

Next message: Martin K. Petersen: "Re: [PATCH v3] scsi: ufs: qcom: dt-bindings: Document the Eliza UFS controller"
Previous message: Dmitry Baryshkov: "[PATCH] arm64: dts: qcom: purwa: deduplicate thermal sensors with Hamoa"
In reply to: Tyrel Datwyler: "Re: [PATCH] scsi: ibmvfc: fix OOB access in ibmvfc_discover_targets_done()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin K. Petersen

Date: Thu Mar 19 2026 - 22:36:39 EST

On Sat, 14 Mar 2026 12:01:50 -0500, Tyllis Xu wrote:

> A malicious or compromised VIO server can return a num_written value in
> the discover targets MAD response that exceeds max_targets. This value
> is stored directly in vhost->num_targets without validation, and is then
> used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[],
> which is only allocated for max_targets entries. Indices at or beyond
> max_targets access kernel memory outside the DMA-coherent allocation.
> The out-of-bounds data is subsequently embedded in Implicit Logout and
> PLOGI MADs that are sent back to the VIO server, leaking kernel memory.
>
> [...]

Applied to 7.0/scsi-fixes, thanks!

[1/1] scsi: ibmvfc: fix OOB access in ibmvfc_discover_targets_done()
https://git.kernel.org/mkp/scsi/c/61d099ac4a7a

--
Martin K. Petersen