From fbca7a04dbd8271752a58594727b61307bcc85b6 Mon Sep 17 00:00:00 2001 From: Flavio Suligoi Date: Wed, 24 Jun 2020 15:56:00 +0200 Subject: scsi: storvsc: Fix spelling mistake Fix typo: "trigerred" --> "triggered" Link: https://lore.kernel.org/r/20200624135600.14274-1-f.suligoi@asem.it Signed-off-by: Flavio Suligoi Signed-off-by: Martin K. Petersen --- drivers/scsi/storvsc_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/scsi/storvsc_drv.c') diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c index 2d90cddd8ac2..7b686268ad19 100644 --- a/drivers/scsi/storvsc_drv.c +++ b/drivers/scsi/storvsc_drv.c @@ -1033,7 +1033,7 @@ static void storvsc_handle_error(struct vmscsi_request *vm_srb, do_work = true; process_err_fn = storvsc_device_scan; /* - * Retry the I/O that trigerred this. + * Retry the I/O that triggered this. */ set_host_byte(scmnd, DID_REQUEUE); } -- cgit From 0a76566595bfb242a7f4bedc77233e9194831ba3 Mon Sep 17 00:00:00 2001 From: Andres Beltran Date: Mon, 6 Jul 2020 12:09:28 -0400 Subject: scsi: storvsc: Add validation for untrusted Hyper-V values For additional robustness in the face of Hyper-V errors or malicious behavior, validate all values that originate from packets that Hyper-V has sent to the guest. Ensure that invalid values cannot cause data being copied out of the bounds of the source buffer when calling memcpy. Ensure that outgoing packets do not have any leftover guest memory that has not been zeroed out. Link: https://lore.kernel.org/r/20200706160928.53049-1-lkmlabelt@gmail.com Cc: James E.J. Bottomley Cc: Martin K. Petersen Cc: linux-scsi@vger.kernel.org Reviewed-by: Michael Kelley Signed-off-by: Andres Beltran Signed-off-by: Martin K. Petersen --- drivers/scsi/storvsc_drv.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'drivers/scsi/storvsc_drv.c') diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c index 7b686268ad19..5c9f6b761fd6 100644 --- a/drivers/scsi/storvsc_drv.c +++ b/drivers/scsi/storvsc_drv.c @@ -1100,6 +1100,10 @@ static void storvsc_command_completion(struct storvsc_cmd_request *cmd_request, data_transfer_length = 0; } + /* Validate data_transfer_length (from Hyper-V) */ + if (data_transfer_length > cmd_request->payload->range.len) + data_transfer_length = cmd_request->payload->range.len; + scsi_set_resid(scmnd, cmd_request->payload->range.len - data_transfer_length); @@ -1140,6 +1144,11 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device, /* Copy over the status...etc */ stor_pkt->vm_srb.scsi_status = vstor_packet->vm_srb.scsi_status; stor_pkt->vm_srb.srb_status = vstor_packet->vm_srb.srb_status; + + /* Validate sense_info_length (from Hyper-V) */ + if (vstor_packet->vm_srb.sense_info_length > sense_buffer_size) + vstor_packet->vm_srb.sense_info_length = sense_buffer_size; + stor_pkt->vm_srb.sense_info_length = vstor_packet->vm_srb.sense_info_length; @@ -1565,6 +1574,7 @@ static int storvsc_host_reset_handler(struct scsi_cmnd *scmnd) request = &stor_device->reset_request; vstor_packet = &request->vstor_packet; + memset(vstor_packet, 0, sizeof(struct vstor_packet)); init_completion(&request->wait_event); @@ -1668,6 +1678,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) /* Setup the cmd request */ cmd_request->cmd = scmnd; + memset(&cmd_request->vstor_packet, 0, sizeof(struct vstor_packet)); vm_srb = &cmd_request->vstor_packet.vm_srb; vm_srb->win8_extension.time_out_value = 60; -- cgit