scsi: sd: Fix VPD page 0xb7 length check

forsaken641 · martinkpetersen · commit 8889676cd621 · 2025-06-24T21:05:42.000-04:00
sd_read_block_limits_ext() currently assumes that vpd->len excludes the size of the page header. However, vpd->len describes the size of the entire VPD page, therefore the sanity check is incorrect. In practice this is not really a problem since we don't attach VPD pages unless they actually report data trailing the header. But fix the length check regardless. This issue was identified by Wukong-Agent (formerly Tencent Woodpecker), a code security AI agent, through static code analysis. [mkp: rewrote patch description] Signed-off-by: jackysliu <1972843537@qq.com> Link: https://lore.kernel.org/r/tencent_ADA5210D1317EEB6CD7F3DE9FE9DA4591D05@qq.com Fixes: 96b171d ("scsi: core: Query the Block Limits Extension VPD page") Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
@@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)
 
 	rcu_read_lock();
 	vpd = rcu_dereference(sdkp->device->vpd_pgb7);
-	if (vpd && vpd->len >= 2)
+	if (vpd && vpd->len >= 6)
 		sdkp->rscs = vpd->data[5] & 1;
 	rcu_read_unlock();
 }

Original file line number	Diff line number	Diff line change
`@@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)`
`3384`	`3384`
`3385`	`3385`	`rcu_read_lock();`
`3386`	`3386`	`vpd = rcu_dereference(sdkp->device->vpd_pgb7);`
`3387`		`- if (vpd && vpd->len >= 2)`
	`3387`	`+ if (vpd && vpd->len >= 6)`
`3388`	`3388`	`sdkp->rscs = vpd->data[5] & 1;`
`3389`	`3389`	`rcu_read_unlock();`
`3390`	`3390`	`}`