|
|
04555e |
From 7627b7136546892ed803c6f41153d0674c05fc1f Mon Sep 17 00:00:00 2001
|
|
|
04555e |
From: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
04555e |
Date: Fri, 26 Mar 2021 13:24:17 -0400
|
|
|
04555e |
Subject: [PATCH] scsi: iscsi: kpatch fixes for CVE-2021-27364 and
|
|
|
04555e |
CVE-2021-27365
|
|
|
04555e |
|
|
|
04555e |
Notes: backport CVE-2021-27363 to simplify patchset
|
|
|
04555e |
see [JL] notes in commit msgs below correcting CVE numbers
|
|
|
04555e |
|
|
|
04555e |
Kernels:
|
|
|
04555e |
3.10.0-1160.el7
|
|
|
04555e |
3.10.0-1160.2.1.el7
|
|
|
04555e |
3.10.0-1160.2.2.el7
|
|
|
04555e |
3.10.0-1160.6.1.el7
|
|
|
04555e |
3.10.0-1160.11.1.el7
|
|
|
04555e |
3.10.0-1160.15.2.el7
|
|
|
04555e |
3.10.0-1160.21.1.el7
|
|
|
04555e |
|
|
|
04555e |
Changes since last build:
|
|
|
04555e |
arches: x86_64 ppc64le
|
|
|
04555e |
libiscsi.o: changed function: iscsi_conn_get_addr_param
|
|
|
04555e |
libiscsi.o: changed function: iscsi_conn_get_param
|
|
|
04555e |
libiscsi.o: changed function: iscsi_host_get_param
|
|
|
04555e |
libiscsi.o: changed function: iscsi_session_get_param
|
|
|
04555e |
scsi_transport_iscsi.o: changed function: iscsi_if_recv_msg
|
|
|
04555e |
scsi_transport_iscsi.o: changed function: show_ep_handle
|
|
|
04555e |
scsi_transport_iscsi.o: changed function: show_priv_session_creator
|
|
|
04555e |
scsi_transport_iscsi.o: changed function: show_priv_session_recovery_tmo
|
|
|
04555e |
scsi_transport_iscsi.o: changed function: show_priv_session_state
|
|
|
04555e |
scsi_transport_iscsi.o: changed function: show_priv_session_target_id
|
|
|
04555e |
scsi_transport_iscsi.o: changed function: show_transport_caps
|
|
|
04555e |
scsi_transport_iscsi.o: changed function: show_transport_handle
|
|
|
04555e |
---------------------------
|
|
|
04555e |
|
|
|
04555e |
Modifications: none
|
|
|
04555e |
|
|
|
04555e |
commit b307f0f6090743a904454f6ecc54d290ca18a693
|
|
|
04555e |
Author: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
Date: Thu Mar 4 09:55:32 2021 -0800
|
|
|
04555e |
|
|
|
04555e |
scsi: iscsi: Restrict sessions and handles to admin capabilities
|
|
|
04555e |
|
|
|
04555e |
Bugzilla: http://bugzilla.redhat.com/1930807
|
|
|
04555e |
CVE: CVE-2021-27364 << [JL] should be CVE-2021-27363
|
|
|
04555e |
|
|
|
04555e |
commit 688e8128b7a92df982709a4137ea4588d16f24aa
|
|
|
04555e |
Author: Lee Duncan <lduncan@suse.com>
|
|
|
04555e |
Date: Tue Feb 23 13:06:24 2021 -0800
|
|
|
04555e |
|
|
|
04555e |
scsi: iscsi: Restrict sessions and handles to admin capabilities
|
|
|
04555e |
|
|
|
04555e |
Protect the iSCSI transport handle, available in sysfs, by requiring
|
|
|
04555e |
CAP_SYS_ADMIN to read it. Also protect the netlink socket by restricting
|
|
|
04555e |
reception of messages to ones sent with CAP_SYS_ADMIN. This disables
|
|
|
04555e |
normal users from being able to end arbitrary iSCSI sessions.
|
|
|
04555e |
|
|
|
04555e |
Cc: stable@vger.kernel.org
|
|
|
04555e |
Reported-by: Adam Nichols <adam@grimm-co.com>
|
|
|
04555e |
Reviewed-by: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
Reviewed-by: Mike Christie <michael.christie@oracle.com>
|
|
|
04555e |
Signed-off-by: Lee Duncan <lduncan@suse.com>
|
|
|
04555e |
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
|
|
04555e |
|
|
|
04555e |
Signed-off-by: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
|
|
|
04555e |
commit af581fe518f4d6a6f28064f932d9374e0444d706
|
|
|
04555e |
Author: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
Date: Thu Mar 4 09:57:23 2021 -0800
|
|
|
04555e |
|
|
|
04555e |
scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE
|
|
|
04555e |
|
|
|
04555e |
Bugzilla: http://bugzilla.redhat.com/1930849
|
|
|
04555e |
CVE: CVE-2021-27363 << [JL] should be CVE-2021-27365
|
|
|
04555e |
|
|
|
04555e |
Conflicts: The sysfs_emit helper doesn't exist for backports, but other
|
|
|
04555e |
than a sanity check on buf it's just a call to scnprintf with a
|
|
|
04555e |
PAGE_SIZE limit.
|
|
|
04555e |
converted with s/sysfs_emit(buf,/scnprintf(buf, PAGE_SIZE,/
|
|
|
04555e |
|
|
|
04555e |
commit ec98ea7070e94cc25a422ec97d1421e28d97b7ee
|
|
|
04555e |
Author: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
Date: Tue Feb 23 18:00:17 2021 -0800
|
|
|
04555e |
|
|
|
04555e |
scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE
|
|
|
04555e |
|
|
|
04555e |
As the iSCSI parameters are exported back through sysfs, it should be
|
|
|
04555e |
enforcing that they never are more than PAGE_SIZE (which should be more
|
|
|
04555e |
than enough) before accepting updates through netlink.
|
|
|
04555e |
|
|
|
04555e |
Change all iSCSI sysfs attributes to use sysfs_emit().
|
|
|
04555e |
|
|
|
04555e |
Cc: stable@vger.kernel.org
|
|
|
04555e |
Reported-by: Adam Nichols <adam@grimm-co.com>
|
|
|
04555e |
Reviewed-by: Lee Duncan <lduncan@suse.com>
|
|
|
04555e |
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
|
04555e |
Reviewed-by: Mike Christie <michael.christie@oracle.com>
|
|
|
04555e |
Signed-off-by: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
|
|
04555e |
|
|
|
04555e |
Signed-off-by: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
|
|
|
04555e |
commit 8026ca13e283db6175377fccf309e8c5239033be
|
|
|
04555e |
Author: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
Date: Thu Mar 4 09:58:33 2021 -0800
|
|
|
04555e |
|
|
|
04555e |
scsi: iscsi: Verify lengths on passthrough PDUs
|
|
|
04555e |
|
|
|
04555e |
Bugzilla: http://bugzilla.redhat.com/1930826
|
|
|
04555e |
CVE: CVE-2021-27365 << [JL] should be CVE-2021-27364
|
|
|
04555e |
|
|
|
04555e |
commit f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5
|
|
|
04555e |
Author: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
Date: Tue Feb 23 21:39:01 2021 -0800
|
|
|
04555e |
|
|
|
04555e |
scsi: iscsi: Verify lengths on passthrough PDUs
|
|
|
04555e |
|
|
|
04555e |
Open-iSCSI sends passthrough PDUs over netlink, but the kernel should be
|
|
|
04555e |
verifying that the provided PDU header and data lengths fall within the
|
|
|
04555e |
netlink message to prevent accessing beyond that in memory.
|
|
|
04555e |
|
|
|
04555e |
Cc: stable@vger.kernel.org
|
|
|
04555e |
Reported-by: Adam Nichols <adam@grimm-co.com>
|
|
|
04555e |
Reviewed-by: Lee Duncan <lduncan@suse.com>
|
|
|
04555e |
Reviewed-by: Mike Christie <michael.christie@oracle.com>
|
|
|
04555e |
Signed-off-by: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
|
|
04555e |
|
|
|
04555e |
Signed-off-by: Chris Leech <cleech@redhat.com>
|
|
|
04555e |
|
|
|
04555e |
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
04555e |
Acked-by: Artem Savkov <asavkov@redhat.com>
|
|
|
04555e |
---
|
|
|
04555e |
drivers/scsi/libiscsi.c | 148 ++++++++++++++--------------
|
|
|
04555e |
drivers/scsi/scsi_transport_iscsi.c | 38 +++++--
|
|
|
04555e |
2 files changed, 104 insertions(+), 82 deletions(-)
|
|
|
04555e |
|
|
|
04555e |
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
|
|
|
04555e |
index bd36ead89f9d..5530662bd9ed 100644
|
|
|
04555e |
--- a/drivers/scsi/libiscsi.c
|
|
|
04555e |
+++ b/drivers/scsi/libiscsi.c
|
|
|
04555e |
@@ -3323,125 +3323,125 @@ int iscsi_session_get_param(struct iscsi_cls_session *cls_session,
|
|
|
04555e |
|
|
|
04555e |
switch(param) {
|
|
|
04555e |
case ISCSI_PARAM_FAST_ABORT:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->fast_abort);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->fast_abort);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_ABORT_TMO:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->abort_timeout);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->abort_timeout);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_LU_RESET_TMO:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->lu_reset_timeout);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->lu_reset_timeout);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TGT_RESET_TMO:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->tgt_reset_timeout);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->tgt_reset_timeout);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_INITIAL_R2T_EN:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->initial_r2t_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->initial_r2t_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_MAX_R2T:
|
|
|
04555e |
- len = sprintf(buf, "%hu\n", session->max_r2t);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%hu\n", session->max_r2t);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_IMM_DATA_EN:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->imm_data_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->imm_data_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_FIRST_BURST:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", session->first_burst);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->first_burst);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_MAX_BURST:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", session->max_burst);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->max_burst);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_PDU_INORDER_EN:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->pdu_inorder_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->pdu_inorder_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_DATASEQ_INORDER_EN:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->dataseq_inorder_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->dataseq_inorder_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_DEF_TASKMGMT_TMO:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->def_taskmgmt_tmo);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->def_taskmgmt_tmo);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_ERL:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->erl);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->erl);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TARGET_NAME:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->targetname);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->targetname);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TARGET_ALIAS:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->targetalias);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->targetalias);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TPGT:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->tpgt);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->tpgt);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_USERNAME:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->username);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->username);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_USERNAME_IN:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->username_in);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->username_in);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_PASSWORD:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->password);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->password);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_PASSWORD_IN:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->password_in);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->password_in);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_IFACE_NAME:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->ifacename);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->ifacename);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_INITIATOR_NAME:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->initiatorname);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->initiatorname);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_BOOT_ROOT:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->boot_root);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->boot_root);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_BOOT_NIC:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->boot_nic);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->boot_nic);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_BOOT_TARGET:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->boot_target);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->boot_target);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_AUTO_SND_TGT_DISABLE:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", session->auto_snd_tgt_disable);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->auto_snd_tgt_disable);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_DISCOVERY_SESS:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", session->discovery_sess);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->discovery_sess);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_PORTAL_TYPE:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", session->portal_type);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->portal_type);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_CHAP_AUTH_EN:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", session->chap_auth_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->chap_auth_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_DISCOVERY_LOGOUT_EN:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", session->discovery_logout_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->discovery_logout_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_BIDI_CHAP_EN:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", session->bidi_chap_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->bidi_chap_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_DISCOVERY_AUTH_OPTIONAL:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", session->discovery_auth_optional);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->discovery_auth_optional);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_DEF_TIME2WAIT:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->time2wait);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->time2wait);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_DEF_TIME2RETAIN:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", session->time2retain);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->time2retain);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TSID:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", session->tsid);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->tsid);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_ISID:
|
|
|
04555e |
- len = sprintf(buf, "%02x%02x%02x%02x%02x%02x\n",
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%02x%02x%02x%02x%02x%02x\n",
|
|
|
04555e |
session->isid[0], session->isid[1],
|
|
|
04555e |
session->isid[2], session->isid[3],
|
|
|
04555e |
session->isid[4], session->isid[5]);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_DISCOVERY_PARENT_IDX:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", session->discovery_parent_idx);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->discovery_parent_idx);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_DISCOVERY_PARENT_TYPE:
|
|
|
04555e |
if (session->discovery_parent_type)
|
|
|
04555e |
- len = sprintf(buf, "%s\n",
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n",
|
|
|
04555e |
session->discovery_parent_type);
|
|
|
04555e |
else
|
|
|
04555e |
- len = sprintf(buf, "\n");
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "\n");
|
|
|
04555e |
break;
|
|
|
04555e |
default:
|
|
|
04555e |
return -ENOSYS;
|
|
|
04555e |
@@ -3473,16 +3473,16 @@ int iscsi_conn_get_addr_param(struct sockaddr_storage *addr,
|
|
|
04555e |
case ISCSI_PARAM_CONN_ADDRESS:
|
|
|
04555e |
case ISCSI_HOST_PARAM_IPADDRESS:
|
|
|
04555e |
if (sin)
|
|
|
04555e |
- len = sprintf(buf, "%pI4\n", &sin->sin_addr.s_addr);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%pI4\n", &sin->sin_addr.s_addr);
|
|
|
04555e |
else
|
|
|
04555e |
- len = sprintf(buf, "%pI6\n", &sin6->sin6_addr);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%pI6\n", &sin6->sin6_addr);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_CONN_PORT:
|
|
|
04555e |
case ISCSI_PARAM_LOCAL_PORT:
|
|
|
04555e |
if (sin)
|
|
|
04555e |
- len = sprintf(buf, "%hu\n", be16_to_cpu(sin->sin_port));
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%hu\n", be16_to_cpu(sin->sin_port));
|
|
|
04555e |
else
|
|
|
04555e |
- len = sprintf(buf, "%hu\n",
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%hu\n",
|
|
|
04555e |
be16_to_cpu(sin6->sin6_port));
|
|
|
04555e |
break;
|
|
|
04555e |
default:
|
|
|
04555e |
@@ -3501,88 +3501,88 @@ int iscsi_conn_get_param(struct iscsi_cls_conn *cls_conn,
|
|
|
04555e |
|
|
|
04555e |
switch(param) {
|
|
|
04555e |
case ISCSI_PARAM_PING_TMO:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->ping_timeout);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->ping_timeout);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_RECV_TMO:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->recv_timeout);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->recv_timeout);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_MAX_RECV_DLENGTH:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->max_recv_dlength);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->max_recv_dlength);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_MAX_XMIT_DLENGTH:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->max_xmit_dlength);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->max_xmit_dlength);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_HDRDGST_EN:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", conn->hdrdgst_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", conn->hdrdgst_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_DATADGST_EN:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", conn->datadgst_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", conn->datadgst_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_IFMARKER_EN:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", conn->ifmarker_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", conn->ifmarker_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_OFMARKER_EN:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", conn->ofmarker_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", conn->ofmarker_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_EXP_STATSN:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->exp_statsn);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->exp_statsn);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_PERSISTENT_PORT:
|
|
|
04555e |
- len = sprintf(buf, "%d\n", conn->persistent_port);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%d\n", conn->persistent_port);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_PERSISTENT_ADDRESS:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", conn->persistent_address);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", conn->persistent_address);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_STATSN:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->statsn);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->statsn);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_MAX_SEGMENT_SIZE:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->max_segment_size);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->max_segment_size);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_KEEPALIVE_TMO:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->keepalive_tmo);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->keepalive_tmo);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_LOCAL_PORT:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->local_port);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->local_port);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TCP_TIMESTAMP_STAT:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->tcp_timestamp_stat);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_timestamp_stat);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TCP_NAGLE_DISABLE:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->tcp_nagle_disable);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_nagle_disable);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TCP_WSF_DISABLE:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->tcp_wsf_disable);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_wsf_disable);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TCP_TIMER_SCALE:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->tcp_timer_scale);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_timer_scale);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TCP_TIMESTAMP_EN:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->tcp_timestamp_en);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_timestamp_en);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_IP_FRAGMENT_DISABLE:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->fragment_disable);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->fragment_disable);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_IPV4_TOS:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->ipv4_tos);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->ipv4_tos);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_IPV6_TC:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->ipv6_traffic_class);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->ipv6_traffic_class);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_IPV6_FLOW_LABEL:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->ipv6_flow_label);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->ipv6_flow_label);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_IS_FW_ASSIGNED_IPV6:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->is_fw_assigned_ipv6);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->is_fw_assigned_ipv6);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TCP_XMIT_WSF:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->tcp_xmit_wsf);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_xmit_wsf);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_TCP_RECV_WSF:
|
|
|
04555e |
- len = sprintf(buf, "%u\n", conn->tcp_recv_wsf);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_recv_wsf);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_PARAM_LOCAL_IPADDR:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", conn->local_ipaddr);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", conn->local_ipaddr);
|
|
|
04555e |
break;
|
|
|
04555e |
default:
|
|
|
04555e |
return -ENOSYS;
|
|
|
04555e |
@@ -3600,13 +3600,13 @@ int iscsi_host_get_param(struct Scsi_Host *shost, enum iscsi_host_param param,
|
|
|
04555e |
|
|
|
04555e |
switch (param) {
|
|
|
04555e |
case ISCSI_HOST_PARAM_NETDEV_NAME:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", ihost->netdev);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", ihost->netdev);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_HOST_PARAM_HWADDRESS:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", ihost->hwaddress);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", ihost->hwaddress);
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_HOST_PARAM_INITIATOR_NAME:
|
|
|
04555e |
- len = sprintf(buf, "%s\n", ihost->initiatorname);
|
|
|
04555e |
+ len = scnprintf(buf, PAGE_SIZE, "%s\n", ihost->initiatorname);
|
|
|
04555e |
break;
|
|
|
04555e |
default:
|
|
|
04555e |
return -ENOSYS;
|
|
|
04555e |
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
|
|
|
04555e |
index 2265611b7e37..f0738bb165f2 100644
|
|
|
04555e |
--- a/drivers/scsi/scsi_transport_iscsi.c
|
|
|
04555e |
+++ b/drivers/scsi/scsi_transport_iscsi.c
|
|
|
04555e |
@@ -119,7 +119,11 @@ show_transport_handle(struct device *dev, struct device_attribute *attr,
|
|
|
04555e |
char *buf)
|
|
|
04555e |
{
|
|
|
04555e |
struct iscsi_internal *priv = dev_to_iscsi_internal(dev);
|
|
|
04555e |
- return sprintf(buf, "%llu\n", (unsigned long long)iscsi_handle(priv->iscsi_transport));
|
|
|
04555e |
+
|
|
|
04555e |
+ if (!capable(CAP_SYS_ADMIN))
|
|
|
04555e |
+ return -EACCES;
|
|
|
04555e |
+ return scnprintf(buf, PAGE_SIZE, "%llu\n",
|
|
|
04555e |
+ (unsigned long long)iscsi_handle(priv->iscsi_transport));
|
|
|
04555e |
}
|
|
|
04555e |
static DEVICE_ATTR(handle, S_IRUGO, show_transport_handle, NULL);
|
|
|
04555e |
|
|
|
04555e |
@@ -129,7 +133,7 @@ show_transport_##name(struct device *dev, \
|
|
|
04555e |
struct device_attribute *attr,char *buf) \
|
|
|
04555e |
{ \
|
|
|
04555e |
struct iscsi_internal *priv = dev_to_iscsi_internal(dev); \
|
|
|
04555e |
- return sprintf(buf, format"\n", priv->iscsi_transport->name); \
|
|
|
04555e |
+ return scnprintf(buf, PAGE_SIZE, format"\n", priv->iscsi_transport->name);\
|
|
|
04555e |
} \
|
|
|
04555e |
static DEVICE_ATTR(name, S_IRUGO, show_transport_##name, NULL);
|
|
|
04555e |
|
|
|
04555e |
@@ -170,7 +174,7 @@ static ssize_t
|
|
|
04555e |
show_ep_handle(struct device *dev, struct device_attribute *attr, char *buf)
|
|
|
04555e |
{
|
|
|
04555e |
struct iscsi_endpoint *ep = iscsi_dev_to_endpoint(dev);
|
|
|
04555e |
- return sprintf(buf, "%llu\n", (unsigned long long) ep->id);
|
|
|
04555e |
+ return scnprintf(buf, PAGE_SIZE, "%llu\n", (unsigned long long) ep->id);
|
|
|
04555e |
}
|
|
|
04555e |
static ISCSI_ATTR(ep, handle, S_IRUGO, show_ep_handle, NULL);
|
|
|
04555e |
|
|
|
04555e |
@@ -2779,6 +2783,9 @@ iscsi_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev)
|
|
|
04555e |
struct iscsi_cls_session *session;
|
|
|
04555e |
int err = 0, value = 0;
|
|
|
04555e |
|
|
|
04555e |
+ if (ev->u.set_param.len > PAGE_SIZE)
|
|
|
04555e |
+ return -EINVAL;
|
|
|
04555e |
+
|
|
|
04555e |
session = iscsi_session_lookup(ev->u.set_param.sid);
|
|
|
04555e |
conn = iscsi_conn_lookup(ev->u.set_param.sid, ev->u.set_param.cid);
|
|
|
04555e |
if (!conn || !session)
|
|
|
04555e |
@@ -2926,6 +2933,9 @@ iscsi_set_host_param(struct iscsi_transport *transport,
|
|
|
04555e |
if (!transport->set_host_param)
|
|
|
04555e |
return -ENOSYS;
|
|
|
04555e |
|
|
|
04555e |
+ if (ev->u.set_host_param.len > PAGE_SIZE)
|
|
|
04555e |
+ return -EINVAL;
|
|
|
04555e |
+
|
|
|
04555e |
shost = scsi_host_lookup(ev->u.set_host_param.host_no);
|
|
|
04555e |
if (!shost) {
|
|
|
04555e |
printk(KERN_ERR "set_host_param could not find host no %u\n",
|
|
|
04555e |
@@ -3495,6 +3505,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group)
|
|
|
04555e |
{
|
|
|
04555e |
int err = 0;
|
|
|
04555e |
u32 portid;
|
|
|
04555e |
+ u32 pdu_len;
|
|
|
04555e |
struct iscsi_uevent *ev = nlmsg_data(nlh);
|
|
|
04555e |
struct iscsi_transport *transport = NULL;
|
|
|
04555e |
struct iscsi_internal *priv;
|
|
|
04555e |
@@ -3502,6 +3513,9 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group)
|
|
|
04555e |
struct iscsi_cls_conn *conn;
|
|
|
04555e |
struct iscsi_endpoint *ep = NULL;
|
|
|
04555e |
|
|
|
04555e |
+ if (!netlink_capable(skb, CAP_SYS_ADMIN))
|
|
|
04555e |
+ return -EPERM;
|
|
|
04555e |
+
|
|
|
04555e |
if (nlh->nlmsg_type == ISCSI_UEVENT_PATH_UPDATE)
|
|
|
04555e |
*group = ISCSI_NL_GRP_UIP;
|
|
|
04555e |
else
|
|
|
04555e |
@@ -3607,6 +3621,14 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group)
|
|
|
04555e |
err = -EINVAL;
|
|
|
04555e |
break;
|
|
|
04555e |
case ISCSI_UEVENT_SEND_PDU:
|
|
|
04555e |
+ pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev);
|
|
|
04555e |
+
|
|
|
04555e |
+ if ((ev->u.send_pdu.hdr_size > pdu_len) ||
|
|
|
04555e |
+ (ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) {
|
|
|
04555e |
+ err = -EINVAL;
|
|
|
04555e |
+ break;
|
|
|
04555e |
+ }
|
|
|
04555e |
+
|
|
|
04555e |
conn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid);
|
|
|
04555e |
if (conn)
|
|
|
04555e |
ev->r.retcode = transport->send_pdu(conn,
|
|
|
04555e |
@@ -4013,7 +4035,7 @@ show_priv_session_state(struct device *dev, struct device_attribute *attr,
|
|
|
04555e |
char *buf)
|
|
|
04555e |
{
|
|
|
04555e |
struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent);
|
|
|
04555e |
- return sprintf(buf, "%s\n", iscsi_session_state_name(session->state));
|
|
|
04555e |
+ return scnprintf(buf, PAGE_SIZE, "%s\n", iscsi_session_state_name(session->state));
|
|
|
04555e |
}
|
|
|
04555e |
static ISCSI_CLASS_ATTR(priv_sess, state, S_IRUGO, show_priv_session_state,
|
|
|
04555e |
NULL);
|
|
|
04555e |
@@ -4022,7 +4044,7 @@ show_priv_session_creator(struct device *dev, struct device_attribute *attr,
|
|
|
04555e |
char *buf)
|
|
|
04555e |
{
|
|
|
04555e |
struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent);
|
|
|
04555e |
- return sprintf(buf, "%d\n", session->creator);
|
|
|
04555e |
+ return scnprintf(buf, PAGE_SIZE, "%d\n", session->creator);
|
|
|
04555e |
}
|
|
|
04555e |
static ISCSI_CLASS_ATTR(priv_sess, creator, S_IRUGO, show_priv_session_creator,
|
|
|
04555e |
NULL);
|
|
|
04555e |
@@ -4031,7 +4053,7 @@ show_priv_session_target_id(struct device *dev, struct device_attribute *attr,
|
|
|
04555e |
char *buf)
|
|
|
04555e |
{
|
|
|
04555e |
struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent);
|
|
|
04555e |
- return sprintf(buf, "%d\n", session->target_id);
|
|
|
04555e |
+ return scnprintf(buf, PAGE_SIZE, "%d\n", session->target_id);
|
|
|
04555e |
}
|
|
|
04555e |
static ISCSI_CLASS_ATTR(priv_sess, target_id, S_IRUGO,
|
|
|
04555e |
show_priv_session_target_id, NULL);
|
|
|
04555e |
@@ -4044,8 +4066,8 @@ show_priv_session_##field(struct device *dev, \
|
|
|
04555e |
struct iscsi_cls_session *session = \
|
|
|
04555e |
iscsi_dev_to_session(dev->parent); \
|
|
|
04555e |
if (session->field == -1) \
|
|
|
04555e |
- return sprintf(buf, "off\n"); \
|
|
|
04555e |
- return sprintf(buf, format"\n", session->field); \
|
|
|
04555e |
+ return scnprintf(buf, PAGE_SIZE, "off\n"); \
|
|
|
04555e |
+ return scnprintf(buf, PAGE_SIZE, format"\n", session->field); \
|
|
|
04555e |
}
|
|
|
04555e |
|
|
|
04555e |
#define iscsi_priv_session_attr_store(field) \
|
|
|
04555e |
--
|
|
|
04555e |
2.26.2
|
|
|
04555e |
|