[PATCH] scsi: lpfc: fix heap overflow in lpfc_bsg_diag_loopback_run()

Next message: Dikshita Agarwal: "Re: [PATCH v2 3/6] media: qcom: iris: gen2: add support for 10bit decoding"
Previous message: Piotr Zarycki: "Re: [PATCH] KVM: selftests: hyperv_tlb_flush: replace NOP loop with udelay()"
Next in thread: James Bottomley: "Re: [PATCH] scsi: lpfc: fix heap overflow in lpfc_bsg_diag_loopback_run()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Wed Apr 22 2026 - 05:19:01 EST

lpfc_bsg_diag_loopback_run() allocates dataout as a staging buffer
before copying loopback test data into DMA segments. When the
user-supplied payload size exceeds 64KB, the allocation is capped at
64KB while sg_copy_to_buffer() and the subsequent memcpy loop operate
on the full payload (up to 80 * 4096 bytes).

This leads to a heap buffer overflow with user-controlled data.

Fix by allocating full_size in the large-size path, consistent with the
small-size path and with diag_cmd_data_alloc().

Fixes: 3b5dd52aaffd ("[SCSI] lpfc 8.3.8: (BSG4) Add new vendor specific BSG Commands")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
drivers/scsi/lpfc/lpfc_bsg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c
index 7406dfa60016..83fef256f324 100644
--- a/drivers/scsi/lpfc/lpfc_bsg.c
+++ b/drivers/scsi/lpfc/lpfc_bsg.c
@@ -3111,7 +3111,7 @@ lpfc_bsg_diag_loopback_run(struct bsg_job *job)
if (size <= (64 * 1024))
total_mem = full_size;
else
- total_mem = 64 * 1024;
+ total_mem = full_size;
} else
/* Allocate memory for ioctl data */
total_mem = BUF_SZ_4K;

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260422-fixes-4b4edb0b7e88

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>