scsi: sd: Fix VPD page 0xb7 length check

sd_read_block_limits_ext() currently assumes that vpd->len excludes the
size of the page header. However, vpd->len describes the size of the entire
VPD page, therefore the sanity check is incorrect.

In practice this is not really a problem since we don't attach VPD
pages unless they actually report data trailing the header. But fix
the length check regardless.

This issue was identified by Wukong-Agent (formerly Tencent Woodpecker), a
code security AI agent, through static code analysis.

[mkp: rewrote patch description]

Signed-off-by: jackysliu <1972843537@qq.com>
Link: https://lore.kernel.org/r/tencent_ADA5210D1317EEB6CD7F3DE9FE9DA4591D05@qq.com
Fixes: 96b171d6dba6 ("scsi: core: Query the Block Limits Extension VPD page")
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 3f6e87705b62e59a5bf599d414f9ae7b3a61c3cb..eeaa6af294b81272d7448bb7afcd918c5f6b0876 100644 (file)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)
 
        rcu_read_lock();
        vpd = rcu_dereference(sdkp->device->vpd_pgb7);
-       if (vpd && vpd->len >= 2)
+       if (vpd && vpd->len >= 6)
                sdkp->rscs = vpd->data[5] & 1;
        rcu_read_unlock();
 }