[PATCH 4.9] sr: pass down correctly sized SCSI sense buffer

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 4.9] sr: pass down correctly sized SCSI sense buffer
@ 2018-12-10 18:14 Ben Hutchings
  2018-12-10 22:58 ` Sasha Levin
  0 siblings, 1 reply; 2+ messages in thread
From: Ben Hutchings @ 2018-12-10 18:14 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Sasha Levin; +Cc: stable

From: Jens Axboe <axboe@kernel.dk>

commit f7068114d45ec55996b9040e98111afa56e010fe upstream.

We're casting the CDROM layer request_sense to the SCSI sense
buffer, but the former is 64 bytes and the latter is 96 bytes.
As we generally allocate these on the stack, we end up blowing
up the stack.

Fix this by wrapping the scsi_execute() call with a properly
sized sense buffer, and copying back the bits for the CDROM
layer.

Reported-by: Piotr Gabriel Kosinski <pg.kosinski@gmail.com>
Reported-by: Daniel Shapira <daniel@twistlock.com>
Tested-by: Kees Cook <keescook@chromium.org>
Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[bwh: Despite what the "Fixes" field says, a buffer overrun was already
 possible if the sense data was really > 64 bytes long.
 Backported to 4.9:
 - We always need to allocate a sense buffer in order to call
   scsi_normalize_sense()
 - Remove the existing conditional heap-allocation of the sense buffer]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
 drivers/scsi/sr_ioctl.c | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
index 03054c0e7689..3c3e8115f73d 100644
--- a/drivers/scsi/sr_ioctl.c
+++ b/drivers/scsi/sr_ioctl.c
@@ -187,30 +187,25 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
 	struct scsi_device *SDev;
 	struct scsi_sense_hdr sshdr;
 	int result, err = 0, retries = 0;
-	struct request_sense *sense = cgc->sense;
+	unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE];
 
 	SDev = cd->device;
 
-	if (!sense) {
-		sense = kmalloc(SCSI_SENSE_BUFFERSIZE, GFP_KERNEL);
-		if (!sense) {
-			err = -ENOMEM;
-			goto out;
-		}
-	}
-
       retry:
 	if (!scsi_block_when_processing_errors(SDev)) {
 		err = -ENODEV;
 		goto out;
 	}
 
-	memset(sense, 0, sizeof(*sense));
+	memset(sense_buffer, 0, sizeof(sense_buffer));
 	result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
-			      cgc->buffer, cgc->buflen, (char *)sense,
+			      cgc->buffer, cgc->buflen, sense_buffer,
 			      cgc->timeout, IOCTL_RETRIES, 0, NULL);
 
-	scsi_normalize_sense((char *)sense, sizeof(*sense), &sshdr);
+	scsi_normalize_sense(sense_buffer, sizeof(sense_buffer), &sshdr);
+
+	if (cgc->sense)
+		memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
 
 	/* Minimal error checking.  Ignore cases we know about, and report the rest. */
 	if (driver_byte(result) != 0) {
@@ -261,8 +256,6 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
 
 	/* Wake up a process waiting for device */
       out:
-	if (!cgc->sense)
-		kfree(sense);
 	cgc->stat = err;
 	return err;
 }
-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 4.9] sr: pass down correctly sized SCSI sense buffer
  2018-12-10 18:14 [PATCH 4.9] sr: pass down correctly sized SCSI sense buffer Ben Hutchings
@ 2018-12-10 22:58 ` Sasha Levin
  0 siblings, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2018-12-10 22:58 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: Greg Kroah-Hartman, Sasha Levin, stable

On Mon, Dec 10, 2018 at 06:14:16PM +0000, Ben Hutchings wrote:
>From: Jens Axboe <axboe@kernel.dk>
>
>commit f7068114d45ec55996b9040e98111afa56e010fe upstream.
>
>We're casting the CDROM layer request_sense to the SCSI sense
>buffer, but the former is 64 bytes and the latter is 96 bytes.
>As we generally allocate these on the stack, we end up blowing
>up the stack.
>
>Fix this by wrapping the scsi_execute() call with a properly
>sized sense buffer, and copying back the bits for the CDROM
>layer.
>
>Reported-by: Piotr Gabriel Kosinski <pg.kosinski@gmail.com>
>Reported-by: Daniel Shapira <daniel@twistlock.com>
>Tested-by: Kees Cook <keescook@chromium.org>
>Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
>Signed-off-by: Jens Axboe <axboe@kernel.dk>
>[bwh: Despite what the "Fixes" field says, a buffer overrun was already
> possible if the sense data was really > 64 bytes long.
> Backported to 4.9:
> - We always need to allocate a sense buffer in order to call
>   scsi_normalize_sense()
> - Remove the existing conditional heap-allocation of the sense buffer]
>Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>

Queued for 4.9, thank you.

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-12-10 22:58 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-10 18:14 [PATCH 4.9] sr: pass down correctly sized SCSI sense buffer Ben Hutchings
2018-12-10 22:58 ` Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).