git-server-git.apps.pok.os.sepia.ceph.com Git

author	Tyllis Xu <livelycarpet87@gmail.com>
	Sat, 14 Mar 2026 17:01:50 +0000 (12:01 -0500)
committer	Martin K. Petersen <martin.petersen@oracle.com>
	Fri, 20 Mar 2026 01:42:35 +0000 (21:42 -0400)
commit	61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f
tree	c0b6c38e56569279aec2ae05e955f4e45936a28a	tree \| snapshot
parent	7a9f448d44127217fabc4065c5ba070d4e0b5d37	commit \| diff

scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()

A malicious or compromised VIO server can return a num_written value in the
discover targets MAD response that exceeds max_targets. This value is
stored directly in vhost->num_targets without validation, and is then used
as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which
is only allocated for max_targets entries. Indices at or beyond max_targets
access kernel memory outside the DMA-coherent allocation. The
out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI
MADs that are sent back to the VIO server, leaking kernel memory.

Fix by clamping num_written to max_targets before storing it.

Fixes: 072b91f9c651 ("[SCSI] ibmvfc: IBM Power Virtual Fibre Channel Adapter Client Driver")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
Reviewed-by: Dave Marquardt <davemarq@linux.ibm.com>
Acked-by: Tyrel Datwyler <tyreld@linux.ibm.com>
Link: https://patch.msgid.link/20260314170151.548614-1-LivelyCarpet87@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>