Re: [PATCH] scsi: mpi3mr: bounds-check phy_number in mpi3mr_update_links()

Next message: Hardik Phalet: "Re: [PATCH v2 3/4] staging: iio: magnetometer: Add QST QMC5883P driver"
Previous message: Lorenzo Stoakes: "Re: [PATCH] mm: prepare anon_vma before swapin rmap"
In reply to: Junrui Luo: "[PATCH] scsi: mpi3mr: bounds-check phy_number in mpi3mr_update_links()"
Next in thread: Junrui Luo: "Re: [PATCH] scsi: mpi3mr: bounds-check phy_number in mpi3mr_update_links()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: James Bottomley

Date: Sun Apr 19 2026 - 10:25:44 EST

On Sun, 2026-04-19 at 20:08 +0800, Junrui Luo wrote:
> mpi3mr_update_links() dereferences mr_sas_node->phy[phy_number] and
> writes attached_handle without verifying that phy_number is within
> the parent node's allocated phy array.

That's right: the phy number is supplied by the expander (or device).

> Two callers feed phy_number from firmware-supplied fields:
> mpi3mr_sastopochg_evt_bh() passes (event_data->start_phy_num + i)
> from the SAS topology change event, and
> mpi3mr_report_tgtdev_to_sas_transport() passes
> tgtdev->dev_spec.sas_sata_inf.phy_id from firmware device
> information.
>
> Since num_phys is a u8, a stray phy_number can reach 255 and index
> past the kzalloc_objs()-sized phy[] array, leading to an out-of-
> bounds.
>
> The sibling mpt3sas driver guards at the topology-change caller by
> discarding entries whose phy_number exceeds max_phys. Apply the
> equivalent check inside mpi3mr_update_links().

Our threat model for hardware is that we assume it behaves correctly
unless someone finds a buggy instance in the field ... have you found
such a buggy device?

Regards,

James