[PATCH v4 0/2] scsi: core: fix uninit-value access of variable sshdr

[PATCH v4 0/2] scsi: core: fix uninit-value access of variable sshdr

[zhengbin]

v1->v2: modify the comments suggested by Bart
v2->v3: fix bug in sr_do_ioctl
v3->v4: let "fix bug in sr_do_ioctl" be a separate patch

zhengbin (2):
  sr: need to check whether sshdr is valid in sr_do_ioctl
  scsi: core: fix uninit-value access of variable sshdr

 drivers/scsi/scsi_lib.c | 7 +++++++
 drivers/scsi/sr_ioctl.c | 5 +++++
 2 files changed, 12 insertions(+)

--
2.7.4

[PATCH v4 1/2] sr: need to check whether sshdr is valid in sr_do_ioctl

[zhengbin]

Like other callers of scsi_execute(send_trespass_cmd, hp_sw_tur...),
we need to check whether sshdr is valid.

Signed-off-by: zhengbin <zhengbin13@huawei.com>
---
 drivers/scsi/sr_ioctl.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
index ffcf902..335cfdd 100644
--- a/drivers/scsi/sr_ioctl.c
+++ b/drivers/scsi/sr_ioctl.c
@@ -206,6 +206,11 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)

 	/* Minimal error checking.  Ignore cases we know about, and report the rest. */
 	if (driver_byte(result) != 0) {
+		if (!scsi_sense_valid(sshdr)) {
+			err = -EIO;
+			goto out;
+		}
+
 		switch (sshdr->sense_key) {
 		case UNIT_ATTENTION:
 			SDev->changed = 1;
--
2.7.4

Re: [PATCH v4 1/2] sr: need to check whether sshdr is valid in sr_do_ioctl

[Martin K. Petersen]

zhengbin,

> Like other callers of scsi_execute(send_trespass_cmd, hp_sw_tur...),
> we need to check whether sshdr is valid.

Applied to 5.4/scsi-fixes, thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering

Re: [PATCH v4 1/2] sr: need to check whether sshdr is valid in sr_do_ioctl

[Martin K. Petersen]

zhengbin,

>> Like other callers of scsi_execute(send_trespass_cmd, hp_sw_tur...),
>> we need to check whether sshdr is valid.
>
> Applied to 5.4/scsi-fixes, thanks!

Actually, after looking at this again, the function is making the
assumption that if driver_byte(result) != 0, then the sense is
present. It really should check both driver_byte(result) == DRIVER_SENSE
and scsi_sense_valid(sshdr) before poking at the sense data.

-- 
Martin K. Petersen	Oracle Linux Engineering

[PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr

[zhengbin]

kmsan report a warning in 5.1-rc4:

BUG: KMSAN: uninit-value in sr_get_events drivers/scsi/sr.c:207 [inline]
BUG: KMSAN: uninit-value in sr_check_events+0x2cf/0x1090 drivers/scsi/sr.c:243
CPU: 1 PID: 13858 Comm: syz-executor.0 Tainted: G    B             5.1.0-rc4+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:619
 __msan_warning+0x7a/0xf0 mm/kmsan/kmsan_instr.c:310
 sr_get_events drivers/scsi/sr.c:207 [inline]
 sr_check_events+0x2cf/0x1090 drivers/scsi/sr.c:243

The reason is as follows:
sr_get_events
  struct scsi_sense_hdr sshdr;  -->uninit
  scsi_execute_req              -->If fail, will not set sshdr
  scsi_sense_valid(&sshdr)      -->access sshdr

We can init sshdr in sr_get_events, but there have many callers of
scsi_execute, scsi_execute_req, we have to troubleshoot all callers,
the simpler way is init sshdr in __scsi_execute.

Signed-off-by: zhengbin <zhengbin13@huawei.com>
---
 drivers/scsi/scsi_lib.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 5447738..d5e29c5 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -255,6 +255,13 @@ int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
 	struct scsi_request *rq;
 	int ret = DRIVER_ERROR << 24;

+	/*
+	 * Zero-initialize sshdr for those callers that check the *sshdr
+	 * contents even if no sense data is available.
+	 */
+	if (sshdr)
+		memset(sshdr, 0, sizeof(struct scsi_sense_hdr));
+
 	req = blk_get_request(sdev->request_queue,
 			data_direction == DMA_TO_DEVICE ?
 			REQ_OP_SCSI_OUT : REQ_OP_SCSI_IN, BLK_MQ_REQ_PREEMPT);
--
2.7.4

Re: [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr

[Martin K. Petersen]

zhengbin,

> We can init sshdr in sr_get_events, but there have many callers of
> scsi_execute, scsi_execute_req, we have to troubleshoot all callers,
> the simpler way is init sshdr in __scsi_execute.

There aren't that many callers. I'd prefer to make sure that everybody
is handling DRIVER_SENSE and scsi_sense_valid() correctly. Looks like
we're generally OK, but please verify.

Thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering

Re: [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr

[zhengbin (A)]

On 2019/10/18 10:40, Martin K. Petersen wrote:
> zhengbin,
>
>> We can init sshdr in sr_get_events, but there have many callers of
>> scsi_execute, scsi_execute_req, we have to troubleshoot all callers,
>> the simpler way is init sshdr in __scsi_execute.
> There aren't that many callers. I'd prefer to make sure that everybody
> is handling DRIVER_SENSE and scsi_sense_valid() correctly. Looks like
> we're generally OK, but please verify.

OK, I have troubleshoot callers, there are similar bug(scsi_report_opcode, cache_type_store, scsi_test_unit_ready, scsi_report_lun_scan, sd_spinup_disk, read_capacity_16,

read_capacity_10, sr_get_events, alua_rtpg, alua_stpg, send_trespass_cmd, hp_sw_tur, hp_sw_start_stop, send_mode_select, sd_sync_cache, sd_start_stop_device, sr_do_ioctl).

I modify these in a patch? or every .c a patch, use a patchset?

>
> Thanks!
>

Re: [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr

[Martin K. Petersen]

zhengbin,

> I modify these in a patch? or every .c a patch, use a patchset?

A patchset consisting of one patch per file, please.

Thank you!

-- 
Martin K. Petersen	Oracle Linux Engineering