[SRU][R][PATCH 0/1] CVE-2026-53176
Cengiz Can
cengiz.can at canonical.com
Fri Jul 3 01:56:38 UTC 2026
https://ubuntu.com/security/CVE-2026-53176
[ Impact ]
In the iSER target driver, isert_login_recv_done() computes the login request
payload length as wc->byte_len minus ISER_HEADERS_LEN (76) with no lower bound,
storing the result in a signed int. A remote iSER initiator can post a login
Send work request carrying fewer than ISER_HEADERS_LEN bytes, causing the
subtraction to underflow so login_req_len becomes negative. That negative
length survives the signed min() in isert_rx_login_req() and is sign-extended
to a multi-gigabyte size_t passed to memcpy(), driving an out-of-bounds copy
into the 8192-byte login buffer that faults and crashes the target node.
Because the login phase precedes iSCSI authentication, no credentials are
required to reach this path.
[ Fix ]
resolute: clean cherry-pick
[ Test Plan ]
Boot tested.
[ Where Problems Could Occur ]
A regression would be confined to the InfiniBand iSER target driver (ib_isert);
if the added lower-bound check were incorrect it could reject valid login PDUs
and prevent legitimate iSER initiators from establishing sessions.
More information about the kernel-team
mailing list