From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: Vasiliy Kovalev <kovalev@altlinux.org>, Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 5.10.y] scsi: core: Fix scsi_mode_sense() buffer length handling
Date: Fri, 22 Nov 2024 14:39:54 -0500 [thread overview]
Message-ID: <20241122143809-33d114b3a6eaee8b@stable.kernel.org> (raw)
In-Reply-To: <20241122190702.230010-2-kovalev@altlinux.org>
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 17b49bcbf8351d3dbe57204468ac34f033ed60bc
WARNING: Author mismatch between patch and upstream commit:
Backport author: Vasiliy Kovalev <kovalev@altlinux.org>
Commit author: Damien Le Moal <damien.lemoal@wdc.com>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.11.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (exact SHA1)
5.15.y | Present (different SHA1: e15de347faf4)
5.10.y | Not found
Note: The patch differs from the upstream commit:
---
--- - 2024-11-22 14:28:14.472822873 -0500
+++ /tmp/tmp.ZvzLslfZma 2024-11-22 14:28:14.464095287 -0500
@@ -1,3 +1,5 @@
+commit 17b49bcbf8351d3dbe57204468ac34f033ed60bc upstream.
+
Several problems exist with scsi_mode_sense() buffer length handling:
1) The allocation length field of the MODE SENSE(10) command is 16-bits,
@@ -36,15 +38,16 @@
Link: https://lore.kernel.org/r/20210820070255.682775-2-damien.lemoal@wdc.com
Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
drivers/scsi/scsi_lib.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
-index 572673873ddf8..701d8e8480f22 100644
+index 64ae7bc2de604..0a9db3464fd48 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
-@@ -2075,7 +2075,7 @@ EXPORT_SYMBOL_GPL(scsi_mode_select);
+@@ -2068,7 +2068,7 @@ EXPORT_SYMBOL_GPL(scsi_mode_select);
/**
* scsi_mode_sense - issue a mode sense, falling back from 10 to six bytes if necessary.
* @sdev: SCSI device to be queried
@@ -53,7 +56,7 @@
* @modepage: mode page being requested
* @buffer: request buffer (may not be smaller than eight bytes)
* @len: length of request buffer.
-@@ -2110,18 +2110,18 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
+@@ -2103,18 +2103,18 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
sshdr = &my_sshdr;
retry:
@@ -77,7 +80,7 @@
cmd[0] = MODE_SENSE;
cmd[4] = len;
-@@ -2145,9 +2145,15 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
+@@ -2139,8 +2139,14 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
if ((sshdr->sense_key == ILLEGAL_REQUEST) &&
(sshdr->asc == 0x20) && (sshdr->ascq == 0)) {
/*
@@ -88,24 +91,26 @@
+ * too large for MODE SENSE single byte
+ * allocation length field.
*/
- if (use_10_for_ms) {
-+ if (len > 255)
-+ return -EIO;
- sdev->use_10_for_ms = 0;
- goto retry;
- }
-@@ -2171,12 +2177,11 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
- data->longlba = 0;
- data->block_descriptor_length = 0;
- } else if (use_10_for_ms) {
-- data->length = buffer[0]*256 + buffer[1] + 2;
-+ data->length = get_unaligned_be16(&buffer[0]) + 2;
- data->medium_type = buffer[2];
- data->device_specific = buffer[3];
- data->longlba = buffer[4] & 0x01;
-- data->block_descriptor_length = buffer[6]*256
-- + buffer[7];
-+ data->block_descriptor_length = get_unaligned_be16(&buffer[6]);
- } else {
- data->length = buffer[0] + 1;
- data->medium_type = buffer[1];
++ if (len > 255)
++ return -EIO;
+ sdev->use_10_for_ms = 0;
+ goto retry;
+ }
+@@ -2158,12 +2164,11 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
+ data->longlba = 0;
+ data->block_descriptor_length = 0;
+ } else if (use_10_for_ms) {
+- data->length = buffer[0]*256 + buffer[1] + 2;
++ data->length = get_unaligned_be16(&buffer[0]) + 2;
+ data->medium_type = buffer[2];
+ data->device_specific = buffer[3];
+ data->longlba = buffer[4] & 0x01;
+- data->block_descriptor_length = buffer[6]*256
+- + buffer[7];
++ data->block_descriptor_length = get_unaligned_be16(&buffer[6]);
+ } else {
+ data->length = buffer[0] + 1;
+ data->medium_type = buffer[1];
+--
+2.33.8
+
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.10.y | Success | Success |
prev parent reply other threads:[~2024-11-22 19:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-22 19:07 [PATCH 5.10.y] scsi: core: Backport fixes for CVE-2021-47182 Vasiliy Kovalev
2024-11-22 19:07 ` [PATCH 5.10.y] scsi: core: Fix scsi_mode_sense() buffer length handling Vasiliy Kovalev
2024-11-22 19:39 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241122143809-33d114b3a6eaee8b@stable.kernel.org \
--to=sashal@kernel.org \
--cc=kovalev@altlinux.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.