From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org ([198.145.29.99]:43544 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729467AbeLJW6m (ORCPT ); Mon, 10 Dec 2018 17:58:42 -0500 Date: Mon, 10 Dec 2018 17:58:40 -0500 From: Sasha Levin To: Ben Hutchings Cc: Greg Kroah-Hartman , Sasha Levin , stable Subject: Re: [PATCH 4.9] sr: pass down correctly sized SCSI sense buffer Message-ID: <20181210225840.GF97256@sasha-vm> References: <20181210181416.3kspglynxfm36lm5@xylophone.i.decadent.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20181210181416.3kspglynxfm36lm5@xylophone.i.decadent.org.uk> Sender: stable-owner@vger.kernel.org List-ID: On Mon, Dec 10, 2018 at 06:14:16PM +0000, Ben Hutchings wrote: >From: Jens Axboe > >commit f7068114d45ec55996b9040e98111afa56e010fe upstream. > >We're casting the CDROM layer request_sense to the SCSI sense >buffer, but the former is 64 bytes and the latter is 96 bytes. >As we generally allocate these on the stack, we end up blowing >up the stack. > >Fix this by wrapping the scsi_execute() call with a properly >sized sense buffer, and copying back the bits for the CDROM >layer. > >Reported-by: Piotr Gabriel Kosinski >Reported-by: Daniel Shapira >Tested-by: Kees Cook >Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") >Signed-off-by: Jens Axboe >[bwh: Despite what the "Fixes" field says, a buffer overrun was already > possible if the sense data was really > 64 bytes long. > Backported to 4.9: > - We always need to allocate a sense buffer in order to call > scsi_normalize_sense() > - Remove the existing conditional heap-allocation of the sense buffer] >Signed-off-by: Ben Hutchings Queued for 4.9, thank you. -- Thanks, Sasha