[PATCH] scsi: ibmvfc: fix out-of-bounds read in discover_targets

[Junrui Luo]

The discover_targets_done() function processes a response from the
virtual FC adapter containing a num_written field that indicates how
many targets were written to the discovery buffer. This value is
assigned to vhost->num_targets without validation.

The discovery buffer is pre-allocated with a fixed size based on
max_targets, but the virtual adapter could return
num_written > max_targets. This causes an out-of-bounds read in
ibmvfc_alloc_targets() which iterates vhost->num_targets times over
the disc_buf array.

Fix by clamping the value to the maximum buffer size.

Reported-by: Yuhao Jiang <danisjiang at gmail.com>
Reported-by: Junrui Luo <moonafterrain at outlook.com>
Fixes: 072b91f9c651 ("[SCSI] ibmvfc: IBM Power Virtual Fibre Channel Adapter Client Driver")
Cc: stable at vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain at outlook.com>
---
 drivers/scsi/ibmvscsi/ibmvfc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
index 228daffb286d..f346dee4a0ac 100644
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -4965,7 +4965,7 @@ static void ibmvfc_discover_targets_done(struct ibmvfc_event *evt)
 	switch (mad_status) {
 	case IBMVFC_MAD_SUCCESS:
 		ibmvfc_dbg(vhost, "Discover Targets succeeded\n");
-		vhost->num_targets = be32_to_cpu(rsp->num_written);
+		vhost->num_targets = min_t(u32, be32_to_cpu(rsp->num_written), max_targets);
 		ibmvfc_set_host_action(vhost, IBMVFC_HOST_ACTION_ALLOC_TGTS);
 		break;
 	case IBMVFC_MAD_FAILED:

---
base-commit: 62085877ae6592be830c2267e35dc469cb706308
change-id: 20260124-fixes-c31dc1e4e4cb

Best regards,
-- 
Junrui Luo <moonafterrain at outlook.com>