* [PATCH] scsi: aacraid: fix leak of data from stack back to userspace
@ 2017-05-15 14:56 ` Colin King
0 siblings, 0 replies; 6+ messages in thread
From: Colin King @ 2017-05-15 14:56 UTC (permalink / raw)
To: Raghava Aditya Renukunta, Adaptec OEM Raid Solutions,
James E . J . Bottomley, Martin K . Petersen, linux-scsi
Cc: kernel-janitors, linux-kernel
From: Colin Ian King <colin.king@canonical.com>
The fields sense_data_size and sense_data are unitialized garbage from
the stack and are being copied back to userspace. Fix this leak of
stack information by ensuring they are zero'd.
Detected by CoverityScan, CID#1435473 ("Uninitialized scalar variable")
Fixes: 423400e64d377 ("scsi: aacraid: Include HBA direct interface")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/scsi/aacraid/commctrl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index 106b9332f718..6bb6ed48e31d 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -955,6 +955,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
reply.srb_status = SRB_STATUS_SUCCESS;
reply.scsi_status = 0;
reply.data_xfer_length = byte_count;
+ reply.sense_data_size = 0;
+ memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
} else {
reply.srb_status = err->service_response;
reply.scsi_status = err->status;
--
2.11.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH] scsi: aacraid: fix leak of data from stack back to userspace
@ 2017-05-15 14:56 ` Colin King
0 siblings, 0 replies; 6+ messages in thread
From: Colin King @ 2017-05-15 14:56 UTC (permalink / raw)
To: Raghava Aditya Renukunta, Adaptec OEM Raid Solutions,
James E . J . Bottomley, Martin K . Petersen, linux-scsi
Cc: kernel-janitors, linux-kernel
From: Colin Ian King <colin.king@canonical.com>
The fields sense_data_size and sense_data are unitialized garbage from
the stack and are being copied back to userspace. Fix this leak of
stack information by ensuring they are zero'd.
Detected by CoverityScan, CID#1435473 ("Uninitialized scalar variable")
Fixes: 423400e64d377 ("scsi: aacraid: Include HBA direct interface")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/scsi/aacraid/commctrl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index 106b9332f718..6bb6ed48e31d 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -955,6 +955,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
reply.srb_status = SRB_STATUS_SUCCESS;
reply.scsi_status = 0;
reply.data_xfer_length = byte_count;
+ reply.sense_data_size = 0;
+ memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
} else {
reply.srb_status = err->service_response;
reply.scsi_status = err->status;
--
2.11.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] scsi: aacraid: fix leak of data from stack back to userspace
2017-05-15 14:56 ` Colin King
@ 2017-05-15 15:07 ` walter harms
-1 siblings, 0 replies; 6+ messages in thread
From: walter harms @ 2017-05-15 15:07 UTC (permalink / raw)
To: Colin King
Cc: Raghava Aditya Renukunta, Adaptec OEM Raid Solutions,
James E . J . Bottomley, Martin K . Petersen, linux-scsi,
kernel-janitors, linux-kernel
Am 15.05.2017 16:56, schrieb Colin King:
> From: Colin Ian King <colin.king@canonical.com>
>
> The fields sense_data_size and sense_data are unitialized garbage from
> the stack and are being copied back to userspace. Fix this leak of
> stack information by ensuring they are zero'd.
>
> Detected by CoverityScan, CID#1435473 ("Uninitialized scalar variable")
>
> Fixes: 423400e64d377 ("scsi: aacraid: Include HBA direct interface")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> drivers/scsi/aacraid/commctrl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
> index 106b9332f718..6bb6ed48e31d 100644
> --- a/drivers/scsi/aacraid/commctrl.c
> +++ b/drivers/scsi/aacraid/commctrl.c
> @@ -955,6 +955,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
> reply.srb_status = SRB_STATUS_SUCCESS;
> reply.scsi_status = 0;
> reply.data_xfer_length = byte_count;
> + reply.sense_data_size = 0;
> + memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
> } else {
> reply.srb_status = err->service_response;
> reply.scsi_status = err->status;
an other idea would be initialize the reply with zero:
struct aac_srb_reply reply={0};
maybe that is more future proof but i have no idea about the speed penalty.
just my 2 cents,
wh
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] scsi: aacraid: fix leak of data from stack back to userspace
@ 2017-05-15 15:07 ` walter harms
0 siblings, 0 replies; 6+ messages in thread
From: walter harms @ 2017-05-15 15:07 UTC (permalink / raw)
To: Colin King
Cc: Raghava Aditya Renukunta, Adaptec OEM Raid Solutions,
James E . J . Bottomley, Martin K . Petersen, linux-scsi,
kernel-janitors, linux-kernel
Am 15.05.2017 16:56, schrieb Colin King:
> From: Colin Ian King <colin.king@canonical.com>
>
> The fields sense_data_size and sense_data are unitialized garbage from
> the stack and are being copied back to userspace. Fix this leak of
> stack information by ensuring they are zero'd.
>
> Detected by CoverityScan, CID#1435473 ("Uninitialized scalar variable")
>
> Fixes: 423400e64d377 ("scsi: aacraid: Include HBA direct interface")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> drivers/scsi/aacraid/commctrl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
> index 106b9332f718..6bb6ed48e31d 100644
> --- a/drivers/scsi/aacraid/commctrl.c
> +++ b/drivers/scsi/aacraid/commctrl.c
> @@ -955,6 +955,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
> reply.srb_status = SRB_STATUS_SUCCESS;
> reply.scsi_status = 0;
> reply.data_xfer_length = byte_count;
> + reply.sense_data_size = 0;
> + memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
> } else {
> reply.srb_status = err->service_response;
> reply.scsi_status = err->status;
an other idea would be initialize the reply with zero:
struct aac_srb_reply reply={0};
maybe that is more future proof but i have no idea about the speed penalty.
just my 2 cents,
wh
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [PATCH] scsi: aacraid: fix leak of data from stack back to userspace
2017-05-15 14:56 ` Colin King
@ 2017-06-13 21:06 ` Dave Carroll
-1 siblings, 0 replies; 6+ messages in thread
From: Dave Carroll @ 2017-06-13 21:06 UTC (permalink / raw)
To: Colin King, Raghava Aditya Renukunta, dl-esc-Aacraid Linux Driver,
James E . J . Bottomley, Martin K . Petersen,
linux-scsi@vger.kernel.org
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBDb2xpbiBLaW5nIFttYWlsdG86
Y29saW4ua2luZ0BjYW5vbmljYWwuY29tXQ0KPiBTZW50OiBNb25kYXksIE1heSAxNSwgMjAxNyA4
OjU2IEFNDQo+IFRvOiBSYWdoYXZhIEFkaXR5YSBSZW51a3VudGEgPFJhZ2hhdmFBZGl0eWEuUmVu
dWt1bnRhQG1pY3Jvc2VtaS5jb20+Ow0KPiBkbC1lc2MtQWFjcmFpZCBMaW51eCBEcml2ZXIgPGFh
Y3JhaWRAbWljcm9zZW1pLmNvbT47IEphbWVzIEUgLiBKIC4gQm90dG9tbGV5DQo+IDxqZWpiQGxp
bnV4LnZuZXQuaWJtLmNvbT47IE1hcnRpbiBLIC4gUGV0ZXJzZW4NCj4gPG1hcnRpbi5wZXRlcnNl
bkBvcmFjbGUuY29tPjsgbGludXgtc2NzaUB2Z2VyLmtlcm5lbC5vcmcNCj4gQ2M6IGtlcm5lbC1q
YW5pdG9yc0B2Z2VyLmtlcm5lbC5vcmc7IGxpbnV4LWtlcm5lbEB2Z2VyLmtlcm5lbC5vcmcNCj4g
U3ViamVjdDogW1BBVENIXSBzY3NpOiBhYWNyYWlkOiBmaXggbGVhayBvZiBkYXRhIGZyb20gc3Rh
Y2sgYmFjayB0byB1c2Vyc3BhY2UNCj4gDQo+IEZyb206IENvbGluIElhbiBLaW5nIDxjb2xpbi5r
aW5nQGNhbm9uaWNhbC5jb20+DQo+IA0KPiBUaGUgZmllbGRzIHNlbnNlX2RhdGFfc2l6ZSBhbmQg
c2Vuc2VfZGF0YSBhcmUgdW5pdGlhbGl6ZWQgZ2FyYmFnZSBmcm9tIHRoZQ0KPiBzdGFjayBhbmQg
YXJlIGJlaW5nIGNvcGllZCBiYWNrIHRvIHVzZXJzcGFjZS4gIEZpeCB0aGlzIGxlYWsgb2Ygc3Rh
Y2sgaW5mb3JtYXRpb24NCj4gYnkgZW5zdXJpbmcgdGhleSBhcmUgemVybydkLg0KPiANCj4gRGV0
ZWN0ZWQgYnkgQ292ZXJpdHlTY2FuLCBDSUQjMTQzNTQ3MyAoIlVuaW5pdGlhbGl6ZWQgc2NhbGFy
IHZhcmlhYmxlIikNCj4gDQo+IEZpeGVzOiA0MjM0MDBlNjRkMzc3ICgic2NzaTogYWFjcmFpZDog
SW5jbHVkZSBIQkEgZGlyZWN0IGludGVyZmFjZSIpDQo+IFNpZ25lZC1vZmYtYnk6IENvbGluIElh
biBLaW5nIDxjb2xpbi5raW5nQGNhbm9uaWNhbC5jb20+DQo+IC0tLQ0KPiAgZHJpdmVycy9zY3Np
L2FhY3JhaWQvY29tbWN0cmwuYyB8IDIgKysNCj4gIDEgZmlsZSBjaGFuZ2VkLCAyIGluc2VydGlv
bnMoKykNCj4gDQpBY2tlZC1ieTogRGF2ZSBDYXJyb2xsIDxkYXZpZC5jYXJyb2xsQG1pY3Jvc2Vt
aS5jb20+DQo
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [PATCH] scsi: aacraid: fix leak of data from stack back to userspace
@ 2017-06-13 21:06 ` Dave Carroll
0 siblings, 0 replies; 6+ messages in thread
From: Dave Carroll @ 2017-06-13 21:06 UTC (permalink / raw)
To: Colin King, Raghava Aditya Renukunta, dl-esc-Aacraid Linux Driver,
James E . J . Bottomley, Martin K . Petersen,
linux-scsi@vger.kernel.org
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
> -----Original Message-----
> From: Colin King [mailto:colin.king@canonical.com]
> Sent: Monday, May 15, 2017 8:56 AM
> To: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>;
> dl-esc-Aacraid Linux Driver <aacraid@microsemi.com>; James E . J . Bottomley
> <jejb@linux.vnet.ibm.com>; Martin K . Petersen
> <martin.petersen@oracle.com>; linux-scsi@vger.kernel.org
> Cc: kernel-janitors@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: [PATCH] scsi: aacraid: fix leak of data from stack back to userspace
>
> From: Colin Ian King <colin.king@canonical.com>
>
> The fields sense_data_size and sense_data are unitialized garbage from the
> stack and are being copied back to userspace. Fix this leak of stack information
> by ensuring they are zero'd.
>
> Detected by CoverityScan, CID#1435473 ("Uninitialized scalar variable")
>
> Fixes: 423400e64d377 ("scsi: aacraid: Include HBA direct interface")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> drivers/scsi/aacraid/commctrl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
Acked-by: Dave Carroll <david.carroll@microsemi.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-06-13 21:06 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-15 14:56 [PATCH] scsi: aacraid: fix leak of data from stack back to userspace Colin King
2017-05-15 14:56 ` Colin King
2017-05-15 15:07 ` walter harms
2017-05-15 15:07 ` walter harms
2017-06-13 21:06 ` Dave Carroll
2017-06-13 21:06 ` Dave Carroll
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.