Received: by 10.223.176.46 with SMTP id f43csp3259272wra;
        Mon, 22 Jan 2018 10:58:55 -0800 (PST)
X-Google-Smtp-Source: AH8x2245cAfazgo0OvPldhTlNBGeGO6B2ImXNBK9gTbVq32b0ZxRIHSgS0cKwve2CaPlmCu3nX1S
X-Received: by 10.36.44.197 with SMTP id i188mr9943379iti.102.1516647535773;
        Mon, 22 Jan 2018 10:58:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516647535; cv=none;
        d=google.com; s=arc-20160816;
        b=Z0ixe41IWVBWrN6ykzowjkThuosENpHr0tPYH6oCN17a+dxKYHPaen3yEaffmhJGm6
         qcCDDFIEgKwQYp+VRD6qCUnT1zsYj359W1VFqDrCxoXhxlsY0ECmtIMptCaWnuIHL0CS
         J1iNr5Q9RAEIY2LKkp73LsviU0w03bhncmdVJl16Q+cgxTM3a6OPyz2XPhHE6fnpNmDY
         8tBzo28nx9RYY4reA7WYTY80PqP4Sj7eYAAHHLlJwozM8+oFbqE+B8p/4H/ZJXWzrkvE
         cXT67rRCNERA3auyTnXW51BIZBHGTBPc0prEjHKJAU9TX1ou61K76hCvcdgmxDvlUGlF
         Ca/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:reply-to
         :arc-authentication-results;
        bh=AVmaIwPrFK19DCrUi0QzBLXSu1CNAggW+wyYuNiF0X8=;
        b=nPD46Dug3juB+ueGZ22k76Bmi6zFMA8u30akO1yShMeh2KMuQgcHYC4+NhjkxU80Ky
         nakAJCnCaKrad+DCZDd2jWbwfIM2RH6LbEyKi6XNWyl0SoQeDINJKhNXbjK2T9oVmFqE
         R+E6lrf/H220Ehi/pUkKfaOqipklWF7MEHXEwWZCMfUKQg4gMRMbBidQKPeb0X7XjUQ7
         aOLw90Z0LqWT+sjq/sVlPoPheVulNl51+gQWoAWsA0B/g9XuRPyg7s1xvO4ssXwq4vWi
         eApRb0S7RoY4W3vxQlReV1jaS/NKKch7JC9RY/nWH1zaPyzYRi1Dy72leDsDw64SszHo
         yoqQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c4si6265230itf.116.2018.01.22.10.58.43;
        Mon, 22 Jan 2018 10:58:55 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751802AbeAVS6A (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Mon, 22 Jan 2018 13:58:00 -0500
Received: from smtp.infotech.no ([82.134.31.41]:33626 "EHLO smtp.infotech.no"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751480AbeAVS57 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Jan 2018 13:57:59 -0500
Received: from localhost (localhost [127.0.0.1])
        by smtp.infotech.no (Postfix) with ESMTP id 74328204237;
        Mon, 22 Jan 2018 19:57:56 +0100 (CET)
X-Virus-Scanned: by amavisd-new-2.6.6 (20110518) (Debian) at infotech.no
Received: from smtp.infotech.no ([127.0.0.1])
        by localhost (smtp.infotech.no [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id MmWvB3IDixqt; Mon, 22 Jan 2018 19:57:53 +0100 (CET)
Received: from [192.168.48.23] (host-45-78-208-28.dyn.295.ca [45.78.208.28])
        by smtp.infotech.no (Postfix) with ESMTPA id A668820414A;
        Mon, 22 Jan 2018 19:57:52 +0100 (CET)
Reply-To: dgilbert@interlog.com
Subject: Re: scsi: sg: assorted memory corruptions
To:     Bart Van Assche <Bart.VanAssche@wdc.com>,
        "jejb@linux.vnet.ibm.com" <jejb@linux.vnet.ibm.com>,
        "linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
        "dvyukov@google.com" <dvyukov@google.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "martin.petersen@oracle.com" <martin.petersen@oracle.com>,
        "ben.hutchings@codethink.co.uk" <ben.hutchings@codethink.co.uk>
Cc:     "syzkaller@googlegroups.com" <syzkaller@googlegroups.com>
References: <CACT4Y+b0pizvOAxtWQ-TGCRAYvHXdv79BAEaXh50W6vF8gBvkQ@mail.gmail.com>
 <1516638634.2545.0.camel@wdc.com>
From:   Douglas Gilbert <dgilbert@interlog.com>
Message-ID: <097921fa-52c5-8b2b-f564-4b24d9720478@interlog.com>
Date:   Mon, 22 Jan 2018 13:57:49 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <1516638634.2545.0.camel@wdc.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-CA
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2018-01-22 11:30 AM, Bart Van Assche wrote:
> On Mon, 2018-01-22 at 12:06 +0100, Dmitry Vyukov wrote:
>> general protection fault: 0000 [#1] SMP KASAN
> 
> How about the untested patch below?
> 
> Thanks,
> 
> Bart.
> 
> 
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index cd9b6ebd7257..04a644b39d79 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -627,6 +627,10 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
>   	mutex_unlock(&sfp->f_mutex);
>   	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sdp,
>   		"sg_write:   scsi opcode=0x%02x, cmd_size=%d\n", (int) opcode, cmd_size));
> +	if (cmd_size > sizeof(cmnd)) {
> +		sg_remove_request(sfp, srp);
> +		return -EFAULT;
> +	}
>   	/* Determine buffer size.  */
>   	input_size = count - cmd_size;
>   	mxsize = max(input_size, old_hdr.reply_len);
> 

Using 'scsi_logging_level -s -T 5' on the sg driver and running the test
program provided, the cmd_size is 9, just like the ioctl() in his program
set it to. The sizeof(cmnd) is 252. So I don't know what caused the
GPF but it wasn't cmd_size being out of bounds.

As for the above patch, did you notice this check in that function:

         if ((!hp->cmdp) || (hp->cmd_len < 6) || (hp->cmd_len > sizeof (cmnd))) {
                 sg_remove_request(sfp, srp);
                 return -EMSGSIZE;
         }

As far as I remember, Dmitry has not indicated in multiple reports
over several years what /dev/sg0 is. Perhaps it misbehaves when it
gets a SCSI command in the T10 range (i.e. not vendor specific) with
a 9 byte cdb length. As far as I'm aware T10 (and the Ansi committee
before it) have never defined a cdb with an odd length.

For those that are not aware, the sg driver is a relatively thin
shim over the block layer, the SCSI mid-level, and a low-level
driver which may have another kernel driver stack underneath it
(e.g. UAS (USB attached SCSI)). The previous report from syzkaller
on the sg driver ("scsi: memory leak in sg_start_req") has resulted
in one accepted patch on the block layer with probably more to
come in the same area.

Testing the patch Dmitry gave (with some added error checks which
reported no problems) with the scsi_debug driver supplying /dev/sg0
I have not seen any problems running that test program. Again
there might be a very slow memory leak, but if there is I don't
believe it is in the sg driver.


While it's not invalid from a testing perspective, throwing total
nonsense at a pass-through mechanism, including absurd SCSI commands
at best will test error paths, but only at a very shallow level.
Setting up almost valid pass-through scenarios will test error
paths at a deeper level. Then there are lots of valid pass-through
scenarios that would be expected not to fail.

Doug Gilbert