[PATCH] scsi: fix shift out-of-bounds in sg_build_indirect The num variable is set to 0. The variable num gets its value from scatter_elem_sz. However the minimum value of scatter_elem_sz is PAGE_SHIFT. So setting num to PAGE_SIZE when num < PAGE_SIZE.
Cc: stable@vger.kernel.org Reported-by: syzbot+270f1c719ee7baab9941@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=270f1c719ee7baab9941 Signed-off-by: Kshitij Paranjape kshitijvparanjape@gmail.com --- drivers/scsi/sg.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index effb7e768165..9ae41bb256d7 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1888,6 +1888,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size) if (num < PAGE_SIZE) { scatter_elem_sz = PAGE_SIZE; scatter_elem_sz_prev = PAGE_SIZE; + num = scatter_elem_sz; } else scatter_elem_sz_prev = num; }
Hi Kshitij,
Subject line of your patch should not exceed more than 80 characters [recommended] Please check your patch format.
~~vivek
On Mon, Oct 6, 2025 at 11:17 PM Kshitij Paranjape kshitijvparanjape@gmail.com wrote:
Cc: stable@vger.kernel.org Reported-by: syzbot+270f1c719ee7baab9941@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=270f1c719ee7baab9941 Signed-off-by: Kshitij Paranjape kshitijvparanjape@gmail.com
drivers/scsi/sg.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index effb7e768165..9ae41bb256d7 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1888,6 +1888,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size) if (num < PAGE_SIZE) { scatter_elem_sz = PAGE_SIZE; scatter_elem_sz_prev = PAGE_SIZE;
num = scatter_elem_sz; } else scatter_elem_sz_prev = num; }-- 2.43.0
On 10/6/25 11:46 AM, Kshitij Paranjape wrote:
Cc: stable@vger.kernel.org Reported-by: syzbot+270f1c719ee7baab9941@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=270f1c719ee7baab9941 Signed-off-by: Kshitij Paranjape kshitijvparanjape@gmail.com
drivers/scsi/sg.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index effb7e768165..9ae41bb256d7 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1888,6 +1888,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size) if (num < PAGE_SIZE) { scatter_elem_sz = PAGE_SIZE; scatter_elem_sz_prev = PAGE_SIZE;
num = scatter_elem_sz;
Please add a one line summary above your commit log to avoid the issue Vivek pointed out. One line summary will become the subject line for your patch email.
-- Khalid
On 10/6/25 11:46 AM, Kshitij Paranjape wrote:
Cc: stable@vger.kernel.org Reported-by: syzbot+270f1c719ee7baab9941@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=270f1c719ee7baab9941 Signed-off-by: Kshitij Paranjape kshitijvparanjape@gmail.com
drivers/scsi/sg.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index effb7e768165..9ae41bb256d7 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1888,6 +1888,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size) if (num < PAGE_SIZE) { scatter_elem_sz = PAGE_SIZE; scatter_elem_sz_prev = PAGE_SIZE;
num = scatter_elem_sz;
Have you seen any issues caused by not setting num to PAGE_SIZE when num < PAGE_SIZE?
From what I can see, num is used to calculate the page order for allocation which will be 0 whether num=PAGE_SIZE or < PAGE_SIZE. After that num gets assigned a new value any way before its next use.
-- Khalid
On 10/6/25 13:46, Kshitij Paranjape wrote:
Cc: stable@vger.kernel.org Reported-by: syzbot+270f1c719ee7baab9941@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=270f1c719ee7baab9941 Signed-off-by: Kshitij Paranjape kshitijvparanjape@gmail.com
Hey Kshitij,
the formatting didn't quite work out the way you intended. For the next version, please try to send it to Shuah and I first.
linux-stable-mirror@lists.linaro.org
-
David Hunter -
Khalid Aziz -
Kshitij Paranjape -
vivek yadav