On 21/12/2015 10:43, P J P wrote:
> Hello,
>
> A stack overflow issue was reported by Mr Qinghao Tang, CC'd here. It
> occurs while processing the SCSI controller's CTRL_GET_INFO command, as
> the memset(2) call uses driver supplied 'cmd->iov_size' to initialise
> the '&info' object.
>
> Please see below a proposed patch to fix this issue. Does it look okay?
>
> ===
> From 5823b4a214ede884f4ba597fdd629862620e0f92 Mon Sep 17 00:00:00 2001
> From: Prasad J Pandit <p...@fedoraproject.org>
> Date: Mon, 21 Dec 2015 14:48:18 +0530
> Subject: [PATCH] scsi: initialise info object with appropriate size
>
> While processing controller 'CTRL_GET_INFO' command, the routine
> 'megasas_ctrl_get_info' overflows the '&info' object size. Use its
> appropriate size to null initialise it.
>
> Reported-by: Qinghao Tang <luodalon...@gmail.com>
> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> ---
> hw/scsi/megasas.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
> index d7dc667..576f56c 100644
> --- a/hw/scsi/megasas.c
> +++ b/hw/scsi/megasas.c
> @@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s,
> MegasasCmd *cmd)
> BusChild *kid;
> int num_pd_disks = 0;
>
> - memset(&info, 0x0, cmd->iov_size);
> + memset(&info, 0x0, dcmd_size);
> if (cmd->iov_size < dcmd_size) {
> trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
> dcmd_size);
Yes, it is. I've queued this patch to my for-2.6 branch.
Paolo
