Re: [PATCH] scsi: fix shift out-of-bounds in sg_build_indirect The num variable is set to 0. The variable num gets its value from scatter_elem_sz. However the minimum value of scatter_elem_sz is PAGE_SHIFT. So setting num to PAGE_SIZE when num < PAGE_SIZE.

6 Oct 2025

On 10/6/25 11:46 AM, Kshitij Paranjape wrote:
...
Cc: stable@vger.kernel.org
Reported-by: syzbot+270f1c719ee7baab9941@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=270f1c719ee7baab9941
Signed-off-by: Kshitij Paranjape kshitijvparanjape@gmail.com

drivers/scsi/sg.c | 1 +
  1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index effb7e768165..9ae41bb256d7 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1888,6 +1888,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size)
   	if (num < PAGE_SIZE) {
   		scatter_elem_sz = PAGE_SIZE;
   		scatter_elem_sz_prev = PAGE_SIZE;

	num = scatter_elem_sz;

} else
	scatter_elem_sz_prev = num;
}

Have you seen any issues caused by not setting num to PAGE_SIZE when num 
< PAGE_SIZE?
From what I can see, num is used to calculate the page order for 
allocation which will be 0 whether num=PAGE_SIZE or < PAGE_SIZE. After 
that num gets assigned a new value any way before its next use.
--
Khalid

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

Re: [PATCH] scsi: fix shift out-of-bounds in sg_build_indirect The num variable is set to 0. The variable num gets its value from scatter_elem_sz. However the minimum value of scatter_elem_sz is PAGE_SHIFT. So setting num to PAGE_SIZE when num < PAGE_SIZE.