It was reported that in vhost_scsi_make_tpg() the limit for "tpgt" is UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.
In the context it turns out that in vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into the vs_tpg array which has VHOST_SCSI_MAX_TARGET (256) elements, so anything higher than 255 then is invalid. Attached patch corrects this.
In vhost_scsi_send_evt() the values higher than 255 are masked, but now that the limit has changed, the mask is not needed.
Created attachment 988570 [details]
Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 and 7, and Red Hat Enterprise MRG as they do not have CONFIG_VHOST_SCSI directive enabled in the build configuration.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1192079]
kernel-3.18.8-201.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.18.9-100.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.