[PATCH] scsi: scsi_debug: reject too-small REPORT ZONES buffers

Next message: Nhat Pham: "Re: [RFC PATCH 0/5] mm, swap: Virtual Swap Space (Swap Table Edition)"
Previous message: Maciej Wieczor-Retman: "[PATCH v2 2/2] x86/cpuid: Update bitfields to x86-cpuid-db v3.1"
Next in thread: James Bottomley: "Re: [PATCH] scsi: scsi_debug: reject too-small REPORT ZONES buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Samuel Moelius

Date: Wed Jun 03 2026 - 13:15:14 EST

REPORT ZONES subtracts the response header size from the allocation
length before ensuring that the allocation is large enough. A short
allocation can underflow and make the remaining length look huge.

The handler can then write zone descriptors past the caller-provided
response buffer.

Validate the allocation length before subtracting the header size.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@xxxxxxxxxxxxxxx>
---
drivers/scsi/scsi_debug.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 1515495fd9ea..f17e59482cfc 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -5911,6 +5911,10 @@ static int resp_report_zones(struct scsi_cmnd *scp,
alloc_len = get_unaligned_be32(cmd + 10);
if (alloc_len == 0)
return 0; /* not an error */
+ if (alloc_len < RZONES_DESC_HD) {
+ mk_sense_buffer(scp, ILLEGAL_REQUEST, INVALID_FIELD_IN_CDB, 0);
+ return check_condition_result;
+ }
rep_opts = cmd[14] & 0x3f;
partial = cmd[14] & 0x80;

--
2.43.0