Re: [PATCH] scsi: scsi_debug: reject too-small REPORT ZONES buffers

[James Bottomley]

On Wed, 2026-06-03 at 17:11 +0000, Samuel Moelius wrote:
> REPORT ZONES subtracts the response header size from the allocation
> length before ensuring that the allocation is large enough.  A short
> allocation can underflow and make the remaining length look huge.
> 
> The handler can then write zone descriptors past the caller-provided
> response buffer.
> 
> Validate the allocation length before subtracting the header size.
> 
> Assisted-by: Codex:gpt-5.5-cyber-preview
> Signed-off-by: Samuel Moelius <sam.moelius@xxxxxxxxxxxxxxx>
> ---
>  drivers/scsi/scsi_debug.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> index 1515495fd9ea..f17e59482cfc 100644
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -5911,6 +5911,10 @@ static int resp_report_zones(struct scsi_cmnd
> *scp,
>  	alloc_len = get_unaligned_be32(cmd + 10);
>  	if (alloc_len == 0)
>  		return 0;	/* not an error */
> +	if (alloc_len < RZONES_DESC_HD) {
> +		mk_sense_buffer(scp, ILLEGAL_REQUEST,
> INVALID_FIELD_IN_CDB, 0);
> +		return check_condition_result;

That doesn't look right.  The returned length is almost always the
first parameter of a SCSI command (it is in this case) and a lot of
users will send a buffer just big enough for the length (4 bytes in
this case) to get the actual length before they ask for the whole
thing.  If you require 64 bytes, we're going to reject perfectly legal
requests.

Regards,

James