mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-15 23:41:35 -04:00
Code Issues Packages Projects Releases Wiki Activity

scsi: target: core: Fix integer overflow in UNMAP bounds check

Browse Source 
sbc_execute_unmap() checks LBA + range does not exceed the device capacity,
but does not guard against LBA + range wrapping around on 64-bit overflow.

Add an overflow check matching the pattern already used for WRITE_SAME in
the same file.

Fixes: 86d7182985 ("target: Add sbc_execute_unmap() helper")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881593C61AD52C69FBDB0BDAF7CA@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
This commit is contained in:
Junrui Luo
2026-03-04 23:42:58 +08:00
committed by Martin K. Petersen
parent 20ca5460e5
commit 2bf2d65f76
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/target/target_core_sbc.c
View File

@@ -1187,7 +1187,8 @@ sbc_execute_unmap(struct se_cmd *cmd)
goto err;
}
if (lba + range > dev->transport->get_blocks(dev) + 1) {
if (lba + range < lba ||
lba + range > dev->transport->get_blocks(dev) + 1) {
ret = TCM_ADDRESS_OUT_OF_RANGE;
goto err;
}