[PATCH] scsi: ibmvfc: fix out-of-bounds write in ibmvfc_channel_setup_done

[Tyllis Xu]

In ibmvfc_channel_setup_done(), the firmware-supplied
num_scsi_subq_channels from the MAD response buffer is assigned directly
to active_queues without being validated against scrqs->max_queues, the
allocated size of the scrqs->scrqs[] array.

A malicious or compromised hypervisor can supply a value larger than
max_queues, causing the loop to write attacker-controlled 64-bit cookie
values beyond the end of the heap-allocated queue array and corrupting
adjacent kernel memory.

Use min_t(u32, ...) rather than min_t(int, ...) to clamp active_queues.
The firmware field is a __be32 whose decoded value is assigned to an int;
a value exceeding INT_MAX would produce a negative int that min_t(int)
would pass through unchanged, storing UINT_MAX into the unsigned int
scrqs->active_queues. Using u32 arithmetic ensures any out-of-range value
is correctly clamped to max_queues regardless of sign.

Fixes: b88a5d9b7f56 ("scsi: ibmvfc: Register Sub-CRQ handles with VIOS during channel setup")
Reported-by: Yuhao Jiang <danisjiang at gmail.com>
Cc: stable at vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87 at gmail.com>
---
 drivers/scsi/ibmvscsi/ibmvfc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
index a20fce04fe79..5694530c4b2f 100644
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -5039,6 +5039,7 @@ static void ibmvfc_channel_setup_done(struct ibmvfc_event *evt)
 		flags = be32_to_cpu(setup->flags);
 		vhost->do_enquiry = 0;
 		active_queues = be32_to_cpu(setup->num_scsi_subq_channels);
+		active_queues = min_t(u32, active_queues, scrqs->max_queues);
 		scrqs->active_queues = active_queues;
 
 		if (flags & IBMVFC_CHANNELS_CANCELED) {
-- 
2.43.0