[PATCH 0/2] sg: fix infoleak when using SG_GET_REQUEST_TABLE

[PATCH 0/2] sg: fix infoleak when using SG_GET_REQUEST_TABLE

[Hannes Reinecke]

KMSAN detected a possible infoleak when using SG_GET_REQUEST_TABLE ioctl.
This patchset fixes it.

As usual, comments and reviews are welcome.

Hannes Reinecke (2):
  sg: factor out sg_fill_request_table()
  sg: fixup infoleak when using SG_GET_REQUEST_TABLE

 drivers/scsi/sg.c | 65 +++++++++++++++++++++++++++++++------------------------
 1 file changed, 37 insertions(+), 28 deletions(-)

-- 
1.8.5.6

[PATCH 1/2] sg: factor out sg_fill_request_table()

[Hannes Reinecke]

Factor our sg_fill_request_table() for better readability.

Signed-off-by: Hannes Reinecke <hare@suse.com>
---
 drivers/scsi/sg.c | 62 ++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 36 insertions(+), 26 deletions(-)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 03194c4..f1e20ca0 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -857,6 +857,40 @@ static int max_sectors_bytes(struct request_queue *q)
 	return max_sectors << 9;
 }
 
+static void
+sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
+{
+	Sg_request *srp;
+	int val;
+	unsigned int ms;
+
+	val = 0;
+	list_for_each_entry(srp, &sfp->rq_list, entry) {
+		if (val > SG_MAX_QUEUE)
+			break;
+		memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
+		rinfo[val].req_state = srp->done + 1;
+		rinfo[val].problem =
+			srp->header.masked_status &
+			srp->header.host_status &
+			srp->header.driver_status;
+		if (srp->done)
+			rinfo[val].duration =
+				srp->header.duration;
+		else {
+			ms = jiffies_to_msecs(jiffies);
+			rinfo[val].duration =
+				(ms > srp->header.duration) ?
+				(ms - srp->header.duration) : 0;
+		}
+		rinfo[val].orphan = srp->orphan;
+		rinfo[val].sg_io_owned = srp->sg_io_owned;
+		rinfo[val].pack_id = srp->header.pack_id;
+		rinfo[val].usr_ptr = srp->header.usr_ptr;
+		val++;
+	}
+}
+
 static long
 sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 {
@@ -1041,39 +1075,15 @@ static int max_sectors_bytes(struct request_queue *q)
 			return -EFAULT;
 		else {
 			sg_req_info_t *rinfo;
-			unsigned int ms;
 
 			rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
 								GFP_KERNEL);
 			if (!rinfo)
 				return -ENOMEM;
 			read_lock_irqsave(&sfp->rq_list_lock, iflags);
-			val = 0;
-			list_for_each_entry(srp, &sfp->rq_list, entry) {
-				if (val > SG_MAX_QUEUE)
-					break;
-				memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
-				rinfo[val].req_state = srp->done + 1;
-				rinfo[val].problem =
-					srp->header.masked_status &
-					srp->header.host_status &
-					srp->header.driver_status;
-				if (srp->done)
-					rinfo[val].duration =
-						srp->header.duration;
-				else {
-					ms = jiffies_to_msecs(jiffies);
-					rinfo[val].duration =
-						(ms > srp->header.duration) ?
-						(ms - srp->header.duration) : 0;
-				}
-				rinfo[val].orphan = srp->orphan;
-				rinfo[val].sg_io_owned = srp->sg_io_owned;
-				rinfo[val].pack_id = srp->header.pack_id;
-				rinfo[val].usr_ptr = srp->header.usr_ptr;
-				val++;
-			}
+			sg_fill_request_table(sfp, rinfo);
 			read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+
 			result = __copy_to_user(p, rinfo,
 						SZ_SG_REQ_INFO * SG_MAX_QUEUE);
 			result = result ? -EFAULT : 0;
-- 
1.8.5.6

[PATCH 2/2] sg: fixup infoleak when using SG_GET_REQUEST_TABLE

[Hannes Reinecke]

When calling SG_GET_REQUEST_TABLE ioctl that only a half-filled
table is returned; the remaining part will then contain stale
kernel memory information.
This patch zeroes out the entire table to avoid this issue.

Signed-off-by: Hannes Reinecke <hare@suse.com>
---
 drivers/scsi/sg.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index f1e20ca0..7f98ab4 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -868,7 +868,6 @@ static int max_sectors_bytes(struct request_queue *q)
 	list_for_each_entry(srp, &sfp->rq_list, entry) {
 		if (val > SG_MAX_QUEUE)
 			break;
-		memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
 		rinfo[val].req_state = srp->done + 1;
 		rinfo[val].problem =
 			srp->header.masked_status &
@@ -1076,8 +1075,8 @@ static int max_sectors_bytes(struct request_queue *q)
 		else {
 			sg_req_info_t *rinfo;
 
-			rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
-								GFP_KERNEL);
+			rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
+					GFP_KERNEL);
 			if (!rinfo)
 				return -ENOMEM;
 			read_lock_irqsave(&sfp->rq_list_lock, iflags);
-- 
1.8.5.6

Re: [PATCH 1/2] sg: factor out sg_fill_request_table()

[Bart Van Assche]

On Fri, 2017-09-15 at 14:05 +0200, Hannes Reinecke wrote:
> Factor our sg_fill_request_table() for better readability.

Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>

Re: [PATCH 2/2] sg: fixup infoleak when using SG_GET_REQUEST_TABLE

[Bart Van Assche]

On Fri, 2017-09-15 at 14:05 +0200, Hannes Reinecke wrote:
> When calling SG_GET_REQUEST_TABLE ioctl that only a half-filled
> table is returned; the remaining part will then contain stale
> kernel memory information.
> This patch zeroes out the entire table to avoid this issue.

Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>

Re: [PATCH 1/2] sg: factor out sg_fill_request_table()

[Christoph Hellwig]

On Fri, Sep 15, 2017 at 02:05:15PM +0200, Hannes Reinecke wrote:
> Factor our sg_fill_request_table() for better readability.
> 
> Signed-off-by: Hannes Reinecke <hare@suse.com>

Looks fine,

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH 2/2] sg: fixup infoleak when using SG_GET_REQUEST_TABLE

[Christoph Hellwig]

On Fri, Sep 15, 2017 at 02:05:16PM +0200, Hannes Reinecke wrote:
> When calling SG_GET_REQUEST_TABLE ioctl that only a half-filled
> table is returned; the remaining part will then contain stale
> kernel memory information.
> This patch zeroes out the entire table to avoid this issue.
> 
> Signed-off-by: Hannes Reinecke <hare@suse.com>

Looks good,

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH 2/2] sg: fixup infoleak when using SG_GET_REQUEST_TABLE

[Eric Dumazet]

On Fri, Sep 15, 2017 at 5:05 AM, Hannes Reinecke <hare@suse.de> wrote:
> When calling SG_GET_REQUEST_TABLE ioctl that only a half-filled
> table is returned; the remaining part will then contain stale
> kernel memory information.
> This patch zeroes out the entire table to avoid this issue.
>
> Signed-off-by: Hannes Reinecke <hare@suse.com>
> ---
>  drivers/scsi/sg.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)

Reviewed-by: Eric Dumazet <edumazet@google.com>

Thanks !

Re: [PATCH 2/2] sg: fixup infoleak when using SG_GET_REQUEST_TABLE

[Linus Torvalds]

Looks good.

James, I expect I'll be getting this through the normal SCSI pulls..

            Linus

On Fri, Sep 15, 2017 at 5:05 AM, Hannes Reinecke <hare@suse.de> wrote:
> When calling SG_GET_REQUEST_TABLE ioctl that only a half-filled
> table is returned; the remaining part will then contain stale
> kernel memory information.
> This patch zeroes out the entire table to avoid this issue.

Re: [PATCH 1/2] sg: factor out sg_fill_request_table()

[Martin K. Petersen]

Hannes,

> Factor our sg_fill_request_table() for better readability.

         ^^^ out

Fixed typo and applied to 4.14/scsi-fixes. I had to do it by hand so
please check.

Thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering

Re: [PATCH 2/2] sg: fixup infoleak when using SG_GET_REQUEST_TABLE

[Martin K. Petersen]

Hannes,

> When calling SG_GET_REQUEST_TABLE ioctl that only a half-filled table
> is returned; the remaining part will then contain stale kernel memory
> information.  This patch zeroes out the entire table to avoid this
> issue.

Applied to 4.14/scsi-fixes. Thank you!

-- 
Martin K. Petersen	Oracle Linux Engineering

Re: [PATCH 1/2] sg: factor out sg_fill_request_table()

[Douglas Gilbert]

On 2017-09-15 08:05 AM, Hannes Reinecke wrote:
> Factor our sg_fill_request_table() for better readability.
> 
> Signed-off-by: Hannes Reinecke <hare@suse.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>

Thanks.

> ---
>   drivers/scsi/sg.c | 62 ++++++++++++++++++++++++++++++++-----------------------
>   1 file changed, 36 insertions(+), 26 deletions(-)
> 
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index 03194c4..f1e20ca0 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -857,6 +857,40 @@ static int max_sectors_bytes(struct request_queue *q)
>   	return max_sectors << 9;
>   }
>   
> +static void
> +sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
> +{
> +	Sg_request *srp;
> +	int val;
> +	unsigned int ms;
> +
> +	val = 0;
> +	list_for_each_entry(srp, &sfp->rq_list, entry) {
> +		if (val > SG_MAX_QUEUE)
> +			break;
> +		memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
> +		rinfo[val].req_state = srp->done + 1;
> +		rinfo[val].problem =
> +			srp->header.masked_status &
> +			srp->header.host_status &
> +			srp->header.driver_status;
> +		if (srp->done)
> +			rinfo[val].duration =
> +				srp->header.duration;
> +		else {
> +			ms = jiffies_to_msecs(jiffies);
> +			rinfo[val].duration =
> +				(ms > srp->header.duration) ?
> +				(ms - srp->header.duration) : 0;
> +		}
> +		rinfo[val].orphan = srp->orphan;
> +		rinfo[val].sg_io_owned = srp->sg_io_owned;
> +		rinfo[val].pack_id = srp->header.pack_id;
> +		rinfo[val].usr_ptr = srp->header.usr_ptr;
> +		val++;
> +	}
> +}
> +
>   static long
>   sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
>   {
> @@ -1041,39 +1075,15 @@ static int max_sectors_bytes(struct request_queue *q)
>   			return -EFAULT;
>   		else {
>   			sg_req_info_t *rinfo;
> -			unsigned int ms;
>   
>   			rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
>   								GFP_KERNEL);
>   			if (!rinfo)
>   				return -ENOMEM;
>   			read_lock_irqsave(&sfp->rq_list_lock, iflags);
> -			val = 0;
> -			list_for_each_entry(srp, &sfp->rq_list, entry) {
> -				if (val > SG_MAX_QUEUE)
> -					break;
> -				memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
> -				rinfo[val].req_state = srp->done + 1;
> -				rinfo[val].problem =
> -					srp->header.masked_status &
> -					srp->header.host_status &
> -					srp->header.driver_status;
> -				if (srp->done)
> -					rinfo[val].duration =
> -						srp->header.duration;
> -				else {
> -					ms = jiffies_to_msecs(jiffies);
> -					rinfo[val].duration =
> -						(ms > srp->header.duration) ?
> -						(ms - srp->header.duration) : 0;
> -				}
> -				rinfo[val].orphan = srp->orphan;
> -				rinfo[val].sg_io_owned = srp->sg_io_owned;
> -				rinfo[val].pack_id = srp->header.pack_id;
> -				rinfo[val].usr_ptr = srp->header.usr_ptr;
> -				val++;
> -			}
> +			sg_fill_request_table(sfp, rinfo);
>   			read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
> +
>   			result = __copy_to_user(p, rinfo,
>   						SZ_SG_REQ_INFO * SG_MAX_QUEUE);
>   			result = result ? -EFAULT : 0;
> 

Re: [PATCH 2/2] sg: fixup infoleak when using SG_GET_REQUEST_TABLE

[Douglas Gilbert]

On 2017-09-15 08:05 AM, Hannes Reinecke wrote:
> When calling SG_GET_REQUEST_TABLE ioctl that only a half-filled
> table is returned; the remaining part will then contain stale
> kernel memory information.
> This patch zeroes out the entire table to avoid this issue.
> 
> Signed-off-by: Hannes Reinecke <hare@suse.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>

Thanks.

> ---
>   drivers/scsi/sg.c | 5 ++---
>   1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index f1e20ca0..7f98ab4 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -868,7 +868,6 @@ static int max_sectors_bytes(struct request_queue *q)
>   	list_for_each_entry(srp, &sfp->rq_list, entry) {
>   		if (val > SG_MAX_QUEUE)
>   			break;
> -		memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
>   		rinfo[val].req_state = srp->done + 1;
>   		rinfo[val].problem =
>   			srp->header.masked_status &
> @@ -1076,8 +1075,8 @@ static int max_sectors_bytes(struct request_queue *q)
>   		else {
>   			sg_req_info_t *rinfo;
>   
> -			rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
> -								GFP_KERNEL);
> +			rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
> +					GFP_KERNEL);
>   			if (!rinfo)
>   				return -ENOMEM;
>   			read_lock_irqsave(&sfp->rq_list_lock, iflags);
>