Re: [PATCH 7/15] megaraid_sas: Sanity check user supplied length in megasas_mgmt_fw_ioctl

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Bjørn Mork" <bjorn@mork.no>
To: adam radford <aradford@gmail.com>
Cc: Tomas Henzl <thenzl@redhat.com>,
	linux-scsi <linux-scsi@vger.kernel.org>,
	Bo.Yang@lsi.com, Ben Hutchings <ben@decadent.org.uk>
Subject: Re: [PATCH 7/15] megaraid_sas: Sanity check user supplied length in megasas_mgmt_fw_ioctl
Date: Thu, 03 Mar 2011 16:26:04 +0100	[thread overview]
Message-ID: <874o7kgr8z.fsf@nemi.mork.no> (raw)
In-Reply-To: <AANLkTinCLCYeF_MF0KRSt6duuqWsYH3nsvWULFWN1JGp@mail.gmail.com> (adam radford's message of "Thu, 24 Feb 2011 16:54:50 -0800")

adam radford <aradford@gmail.com> writes:
> On Thu, Feb 24, 2011 at 6:01 AM, Tomas Henzl <thenzl@redhat.com> wrote:
>>
>> there was proposed another patch for this issue -
>> http://marc.info/?l=linux-scsi&m=129542474703680&w=2
>> I think it's a little bit more precise.
>>
>>        for (i = 0; i < ioc->sge_count; i++) {
>> +               if (!ioc->sgl[i].iov_len)
>> +                       continue;
>> +
>>
>
> I didn't see this was already in scsi-misc-2.6.  I will re-base my
> patch series and repost.

Ben Hutchings noted as well in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604627#47
that this removes the initialisation of kern_sge32[i] when
ioc->sgl[i].iov_len is zero.

Inspecting smartmontools shows that it is not an issue with them, as
they always sge32[0].length = sgl[0].iov_len before issuing the
passthrough command:

/* Issue passthrough scsi command to PERC5/6 controllers */
bool linux_megaraid_device::megasas_cmd(int cdbLen, void *cdb, 
  int dataLen, void *data,
  int /*senseLen*/, void * /*sense*/, int /*report*/)
{
  struct megasas_pthru_frame    *pthru;
  struct megasas_iocpacket      uio;
  int rc;

  memset(&uio, 0, sizeof(uio));
  pthru = (struct megasas_pthru_frame *)uio.frame.raw;
  pthru->cmd = MFI_CMD_PD_SCSI_IO;
  pthru->cmd_status = 0xFF;
  pthru->scsi_status = 0x0;
  pthru->target_id = m_disknum;
  pthru->lun = 0;
  pthru->cdb_len = cdbLen;
  pthru->timeout = 0;
  pthru->flags = MFI_FRAME_DIR_READ;
  pthru->sge_count = 1;
  pthru->data_xfer_len = dataLen;
  pthru->sgl.sge32[0].phys_addr = (intptr_t)data;
  pthru->sgl.sge32[0].length = (uint32_t)dataLen;
  memcpy(pthru->cdb, cdb, cdbLen);

  uio.host_no = m_hba;
  uio.sge_count = 1;
  uio.sgl_off = offsetof(struct megasas_pthru_frame, sgl);
  uio.sgl[0].iov_base = data;
  uio.sgl[0].iov_len = dataLen;

  rc = 0;
  errno = 0;
  rc = ioctl(m_fd, MEGASAS_IOC_FIRMWARE, &uio);





But to be utterly safe against userspace stupidity, the patch should
probably always set the kern_sge32[i].length.  Something like this,
maybe: 



diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 5d6d07b..4cc65fd 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -4611,6 +4611,11 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
         * For each user buffer, create a mirror buffer and copy in
         */
        for (i = 0; i < ioc->sge_count; i++) {
+               if (!ioc->sgl[i].iov_len) {
+                       kern_sge32[i].length = 0;
+                       continue;
+               }
+
                kbuff_arr[i] = dma_alloc_coherent(&instance->pdev->dev,
                                                    ioc->sgl[i].iov_len,
                                                    &buf_handle, GFP_KERNEL);
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

     prev parent reply	other threads:[~2011-03-03 15:37 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-02-20  2:22 [PATCH 7/15] megaraid_sas: Sanity check user supplied length in megasas_mgmt_fw_ioctl adam radford
2011-02-24 14:01 ` Tomas Henzl
2011-02-25  0:54   ` adam radford
2011-03-03 15:26     ` Bjørn Mork [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5d6d07b dfblob:4cc65fd )
 OR (
bs:"Re: [PATCH 7/15] megaraid_sas: Sanity check user supplied length in megasas_mgmt_fw_ioctl" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=874o7kgr8z.fsf@nemi.mork.no \
    --to=bjorn@mork.no \
    --cc=Bo.Yang@lsi.com \
    --cc=aradford@gmail.com \
    --cc=ben@decadent.org.uk \
    --cc=linux-scsi@vger.kernel.org \
    --cc=thenzl@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.