Re: [PATCH 7/15] megaraid_sas: Sanity check user supplied length in megasas_mgmt_fw_ioctl

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

From: "Bjørn Mork" <bjorn@mork.no>
To: adam radford <aradford@gmail.com>
Cc: Tomas Henzl <thenzl@redhat.com>,
	linux-scsi <linux-scsi@vger.kernel.org>,
	Bo.Yang@lsi.com, Ben Hutchings <ben@decadent.org.uk>
Subject: Re: [PATCH 7/15] megaraid_sas: Sanity check user supplied length in megasas_mgmt_fw_ioctl
Date: Thu, 03 Mar 2011 16:26:04 +0100	[thread overview]
Message-ID: <874o7kgr8z.fsf@nemi.mork.no> (raw)
In-Reply-To: <AANLkTinCLCYeF_MF0KRSt6duuqWsYH3nsvWULFWN1JGp@mail.gmail.com> (adam radford's message of "Thu, 24 Feb 2011 16:54:50 -0800")

adam radford <aradford@gmail.com> writes:
> On Thu, Feb 24, 2011 at 6:01 AM, Tomas Henzl <thenzl@redhat.com> wrote:
>>
>> there was proposed another patch for this issue -
>> http://marc.info/?l=linux-scsi&m=129542474703680&w=2
>> I think it's a little bit more precise.
>>
>>        for (i = 0; i < ioc->sge_count; i++) {
>> +               if (!ioc->sgl[i].iov_len)
>> +                       continue;
>> +
>>
>
> I didn't see this was already in scsi-misc-2.6.  I will re-base my
> patch series and repost.

Ben Hutchings noted as well in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604627#47
that this removes the initialisation of kern_sge32[i] when
ioc->sgl[i].iov_len is zero.

Inspecting smartmontools shows that it is not an issue with them, as
they always sge32[0].length = sgl[0].iov_len before issuing the
passthrough command:

/* Issue passthrough scsi command to PERC5/6 controllers */
bool linux_megaraid_device::megasas_cmd(int cdbLen, void *cdb, 
  int dataLen, void *data,
  int /*senseLen*/, void * /*sense*/, int /*report*/)
{
  struct megasas_pthru_frame    *pthru;
  struct megasas_iocpacket      uio;
  int rc;

  memset(&uio, 0, sizeof(uio));
  pthru = (struct megasas_pthru_frame *)uio.frame.raw;
  pthru->cmd = MFI_CMD_PD_SCSI_IO;
  pthru->cmd_status = 0xFF;
  pthru->scsi_status = 0x0;
  pthru->target_id = m_disknum;
  pthru->lun = 0;
  pthru->cdb_len = cdbLen;
  pthru->timeout = 0;
  pthru->flags = MFI_FRAME_DIR_READ;
  pthru->sge_count = 1;
  pthru->data_xfer_len = dataLen;
  pthru->sgl.sge32[0].phys_addr = (intptr_t)data;
  pthru->sgl.sge32[0].length = (uint32_t)dataLen;
  memcpy(pthru->cdb, cdb, cdbLen);

  uio.host_no = m_hba;
  uio.sge_count = 1;
  uio.sgl_off = offsetof(struct megasas_pthru_frame, sgl);
  uio.sgl[0].iov_base = data;
  uio.sgl[0].iov_len = dataLen;

  rc = 0;
  errno = 0;
  rc = ioctl(m_fd, MEGASAS_IOC_FIRMWARE, &uio);





But to be utterly safe against userspace stupidity, the patch should
probably always set the kern_sge32[i].length.  Something like this,
maybe: 



diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 5d6d07b..4cc65fd 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -4611,6 +4611,11 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
         * For each user buffer, create a mirror buffer and copy in
         */
        for (i = 0; i < ioc->sge_count; i++) {
+               if (!ioc->sgl[i].iov_len) {
+                       kern_sge32[i].length = 0;
+                       continue;
+               }
+
                kbuff_arr[i] = dma_alloc_coherent(&instance->pdev->dev,
                                                    ioc->sgl[i].iov_len,
                                                    &buf_handle, GFP_KERNEL);
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

     prev parent reply	other threads:[~2011-03-03 15:37 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-02-20  2:22 [PATCH 7/15] megaraid_sas: Sanity check user supplied length in megasas_mgmt_fw_ioctl adam radford
2011-02-24 14:01 ` Tomas Henzl
2011-02-25  0:54   ` adam radford
2011-03-03 15:26     ` Bjørn Mork [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5d6d07b dfblob:4cc65fd )
 OR (
bs:"Re: [PATCH 7/15] megaraid_sas: Sanity check user supplied length in megasas_mgmt_fw_ioctl" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=874o7kgr8z.fsf@nemi.mork.no \
    --to=bjorn@mork.no \
    --cc=Bo.Yang@lsi.com \
    --cc=aradford@gmail.com \
    --cc=ben@decadent.org.uk \
    --cc=linux-scsi@vger.kernel.org \
    --cc=thenzl@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox