[RHEL7,COMMIT] ms/target: check XCOPY segment descriptor CSCD IDs

Submitted by Konstantin Khorenko on April 3, 2018, 1:11 p.m.

Details

Message ID 201804031311.w33DBbEM024397@finist_ce7.work
State New
Series "target: backport bug fixes for XCOPY"
Headers show

Commit Message

Konstantin Khorenko April 3, 2018, 1:11 p.m.
The commit is pushed to "branch-rh7-3.10.0-693.21.1.vz7.46.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.21.1.vz7.46.3
------>
commit a61cffed601c3d59ad3678f27c1e65362164fdd1
Author: David Disseldorp <ddiss@suse.de>
Date:   Tue Apr 3 16:11:37 2018 +0300

    ms/target: check XCOPY segment descriptor CSCD IDs
    
    ML: f184210bca6c9d0091ff5e5629dea4cbb8a17c0f
    
    Ensure that the segment descriptor CSCD descriptor ID values correspond
    to CSCD descriptor entries located in the XCOPY command parameter list.
    SPC4r37 6.4.6.1 Table 150 specifies this range as 0000h to 07FFh, where
    the CSCD descriptor location in the parameter list can be located via:
    16 + (id * 32)
    
    Signed-off-by: David Disseldorp <ddiss@suse.de>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    [ bvanassche: inserted "; " in the format string of an error message
      and also moved a "||" operator from the start of a line to the end
      of the previous line ]
    Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
    
    Signed-off-by: Andrei Vagin <avagin@openvz.org>
---
 drivers/target/target_core_xcopy.c | 8 ++++++++
 drivers/target/target_core_xcopy.h | 6 ++++++
 2 files changed, 14 insertions(+)

Patch hide | download patch | download mbox

diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c
index a688b7513bae..afced9c621b8 100644
--- a/drivers/target/target_core_xcopy.c
+++ b/drivers/target/target_core_xcopy.c
@@ -305,6 +305,14 @@  static int target_xcopy_parse_segdesc_02(struct se_cmd *se_cmd, struct xcopy_op
 
 	xop->stdi = get_unaligned_be16(&desc[4]);
 	xop->dtdi = get_unaligned_be16(&desc[6]);
+
+	if (xop->stdi > XCOPY_CSCD_DESC_ID_LIST_OFF_MAX ||
+	    xop->dtdi > XCOPY_CSCD_DESC_ID_LIST_OFF_MAX) {
+		pr_err("XCOPY segment desc 0x02: unsupported CSCD ID > 0x%x; stdi: %hu dtdi: %hu\n",
+			XCOPY_CSCD_DESC_ID_LIST_OFF_MAX, xop->stdi, xop->dtdi);
+		return -EINVAL;
+	}
+
 	pr_debug("XCOPY seg desc 0x02: desc_len: %hu stdi: %hu dtdi: %hu, DC: %d\n",
 		desc_len, xop->stdi, xop->dtdi, dc);
 
diff --git a/drivers/target/target_core_xcopy.h b/drivers/target/target_core_xcopy.h
index b5baeccfc8eb..654b76a37aad 100644
--- a/drivers/target/target_core_xcopy.h
+++ b/drivers/target/target_core_xcopy.h
@@ -4,6 +4,12 @@ 
 #define XCOPY_NAA_IEEE_REGEX_LEN	16
 #define XCOPY_MAX_SECTORS		1024
 
+/*
+ * SPC4r37 6.4.6.1
+ * Table 150 — CSCD descriptor ID values
+ */
+#define XCOPY_CSCD_DESC_ID_LIST_OFF_MAX	0x07FF
+
 enum xcopy_origin_list {
 	XCOL_SOURCE_RECV_OP = 0x01,
 	XCOL_DEST_RECV_OP = 0x02,