From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:44596 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752158AbdIVLS2 (ORCPT ); Fri, 22 Sep 2017 07:18:28 -0400 Subject: Patch "scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE" has been added to the 3.18-stable tree To: hare@suse.de, bart.vanassche@wdc.com, edumazet@google.com, gregkh@linuxfoundation.org, hare@suse.com, hch@lst.de, martin.petersen@oracle.com Cc: , From: Date: Fri, 22 Sep 2017 13:18:19 +0200 Message-ID: <15060790996130@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: scsi-sg-fixup-infoleak-when-using-sg_get_request_table.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 3e0097499839e0fe3af380410eababe5a47c4cf9 Mon Sep 17 00:00:00 2001 From: Hannes Reinecke Date: Fri, 15 Sep 2017 14:05:16 +0200 Subject: scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE From: Hannes Reinecke commit 3e0097499839e0fe3af380410eababe5a47c4cf9 upstream. When calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is returned; the remaining part will then contain stale kernel memory information. This patch zeroes out the entire table to avoid this issue. Signed-off-by: Hannes Reinecke Reviewed-by: Bart Van Assche Reviewed-by: Christoph Hellwig Reviewed-by: Eric Dumazet Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/sg.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -865,7 +865,6 @@ sg_fill_request_table(Sg_fd *sfp, sg_req list_for_each_entry(srp, &sfp->rq_list, entry) { if (val > SG_MAX_QUEUE) break; - memset(&rinfo[val], 0, SZ_SG_REQ_INFO); rinfo[val].req_state = srp->done + 1; rinfo[val].problem = srp->header.masked_status & @@ -1082,8 +1081,8 @@ sg_ioctl(struct file *filp, unsigned int else { sg_req_info_t *rinfo; - rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE, - GFP_KERNEL); + rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE, + GFP_KERNEL); if (!rinfo) return -ENOMEM; read_lock_irqsave(&sfp->rq_list_lock, iflags); Patches currently in stable-queue which might be from hare@suse.de are queue-3.18/scsi-sg-use-standard-lists-for-sg_requests.patch queue-3.18/scsi-sg-factor-out-sg_fill_request_table.patch queue-3.18/skd-submit-requests-to-firmware-before-triggering-the-doorbell.patch queue-3.18/scsi-sg-remove-save_scat_len.patch queue-3.18/block-relax-a-check-in-blk_start_queue.patch queue-3.18/scsi-sg-fixup-infoleak-when-using-sg_get_request_table.patch queue-3.18/skd-avoid-that-module-unloading-triggers-a-use-after-free.patch