Received: by 10.192.165.156 with SMTP id m28csp535361imm; Tue, 17 Apr 2018 14:48:32 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+bO5+wihRrv2rI7h6U1b3i5kDHAtlOFYva5Uv1DBde1sei+Z4vmlB1AkZFOMBQLCgBCrr4 X-Received: by 2002:a17:902:6c4b:: with SMTP id h11-v6mr3644227pln.33.1524001712370; Tue, 17 Apr 2018 14:48:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524001712; cv=none; d=google.com; s=arc-20160816; b=PczMA7sqXuK3Fa9M7F1pYaCyp+VzvHMDwf5rW4QEZcKlL2zp4ueuqOff3hHQn4mVrw /mYHTpoaj8+gQWaVSyzswAC0JKeeEu73m0M4WSYuHNGamo5tJWBXWGCcF/NTQdPWOixL WiZkxkoMIUu7bcMdpkji4pmHYntYVxfnkkR8SwKxaW4sEqBUUpDrSOt/vbJpDsRgIPGJ KKFXx+5snCASalkh7cfedLwRDvgcHIZwgTueoElgqu65ZwzUIcoM4Re1I2KTp7x98m2W KQjtmpwo9IhxRVlOyAtCDBFXOnluOnb1c4EaHwuFQ308oSF//HSe5GjLC5Vv2N8r4QMN p2tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=VxU0427USrM1hmghAUpGY+adMD1Cba8g/prVqJjlz14=; b=f0d5mfGhGkeRgGQGzULTFjYhICjIC9gXL9TfgYVbKD/YW+XTy1t2hMSqFJ5/pJP6iA oi9C0qtKv5tFmU0PM8z8ZxP0IJNYPpInQ7zMkRczig+0Ci4NkcD8kKrkulKi3qOPPD9V q3azs67Px6vvprvXkPCXpP9pAN7WXyjbL6QT8nwjuplnY5pqayejyFgCFD8K8apSN3OU Siwd293DGe2l4c24epodMfovX4tMC9EtpKn1PqcdeW5QqxohM3UkAz7K738mG9TA2qDb IQFD+UIJ0rZpBTUbZZ5Tgm9PL9J7QsPU7NgRiAuQMcLCCmh9bAh64VIRRgzsvryGMAiG QHpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=F5R9SVgK; dkim=fail header.i=@chromium.org header.s=google header.b=DOWXwP0n; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p9si12098674pgu.80.2018.04.17.14.48.18; Tue, 17 Apr 2018 14:48:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=F5R9SVgK; dkim=fail header.i=@chromium.org header.s=google header.b=DOWXwP0n; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753144AbeDQVrE (ORCPT + 99 others); Tue, 17 Apr 2018 17:47:04 -0400 Received: from mail-ua0-f193.google.com ([209.85.217.193]:33308 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752310AbeDQVrC (ORCPT ); Tue, 17 Apr 2018 17:47:02 -0400 Received: by mail-ua0-f193.google.com with SMTP id q26so13630106uab.0 for ; Tue, 17 Apr 2018 14:47:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=VxU0427USrM1hmghAUpGY+adMD1Cba8g/prVqJjlz14=; b=F5R9SVgKEP3006dzH7GeM2kvrOzmNJ+tUL8X+6H2zEdiionwd5VG3AeNCExyf7cf9w qKokR4D1pEFKk9Ep/Z3DSLNYUziFlk6ye0Wxe4ShQWb4wJJACfKtdX90DQj2mMWktXPn m9893L7hnx6U1Tuw9V1JmLwRU2Hvr8w2R7bdhLbJvV0Z1gg0Sd7EYUbLX8SmX2AFX8eg rzxTez1phZr4X0d+7rZgbC+9kO6cOm38BhDcuwgazEXjfP5iJ3dL6x927vC9gkt8UxUk JSQAIS5nkaILwFqSulPZlo5GCOI4m1jQuHyZBCz6cZmwPCjNfNXpBQZzFmFNZvD+My6D qjDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=VxU0427USrM1hmghAUpGY+adMD1Cba8g/prVqJjlz14=; b=DOWXwP0nFwXg8416qljI8puLZVj1TR9SabM2zVovmRsoollgv7n30iX/TtT+wqxxYE Uk/ytRNUidOUq2bLm1mtXicLmEctYg/eJPj1BlV3ch4+9IwuTbpJXWUKMhuxBFz7CHys 7Vr6pDbssMh1ivZx66j3W8G/UgDZtM/iEi2tg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=VxU0427USrM1hmghAUpGY+adMD1Cba8g/prVqJjlz14=; b=bejbLJC52AKacWojeZijIYNHsQlawCZSQ5PuhyiGASozMDjE+4h6JnXtVagYu/gRGy DjT38KX+AVluwd2oMr+hXZVnmhpLaD2zLxZoNJioERSUg5cM1KN2ShIyU9XnL2m9FFZH KOwhXpQfqotjnVh0MhN59ThiGRoDcG/VfE+mbcYEP3eofyJZ2P1oBAr/AYimo2nRlfGy XXqqLUIp3xfy7ccLIwtlplcQsNBZWxCQiKmU2ZxUTupGA8FPs1ig62rObVgHEzYGflSi fKVjZiUB8NDmxC0piY+ghufEFZbu9EBF+pdnNS4dP04mvhJu5nlR8Z5bKb3wDNAWPoms bCOQ== X-Gm-Message-State: ALQs6tB4rcDk/MaCXuKNt0ImvP2hm/0JmSqcpP8RXasW3olJt99nCKdk oRls465tnWn6fEPyud3/sZ9nUFmSialIEH5wzsszvQ== X-Received: by 10.159.49.238 with SMTP id w43mr2887789uad.176.1524001621195; Tue, 17 Apr 2018 14:47:01 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 14:47:00 -0700 (PDT) In-Reply-To: <07f263ff-cea6-ac3c-944b-0f36fee8ba25@kernel.dk> References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk> <07f263ff-cea6-ac3c-944b-0f36fee8ba25@kernel.dk> From: Kees Cook Date: Tue, 17 Apr 2018 14:47:00 -0700 X-Google-Sender-Auth: iBtT1OguPdYgWu0Mjzyd29ZP6BY Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Jens Axboe Cc: Paolo Valente , Oleksandr Natalenko , Bart Van Assche , David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 17, 2018 at 2:39 PM, Jens Axboe wrote: > On 4/17/18 3:25 PM, Kees Cook wrote: >> On Tue, Apr 17, 2018 at 1:46 PM, Kees Cook wrote: >>> I see elv.priv[1] assignments made in a few places -- is it possible >>> there is some kind of uninitialized-but-not-NULL state that can leak >>> in there? >> >> Got it. This fixes it for me: >> >> diff --git a/block/blk-mq.c b/block/blk-mq.c >> index 0dc9e341c2a7..859df3160303 100644 >> --- a/block/blk-mq.c >> +++ b/block/blk-mq.c >> @@ -363,7 +363,7 @@ static struct request *blk_mq_get_request(struct >> request_queue *q, >> >> rq = blk_mq_rq_ctx_init(data, tag, op); >> if (!op_is_flush(op)) { >> - rq->elv.icq = NULL; >> + memset(&rq->elv, 0, sizeof(rq->elv)); >> if (e && e->type->ops.mq.prepare_request) { >> if (e->type->icq_cache && rq_ioc(bio)) >> blk_mq_sched_assign_ioc(rq, bio); >> @@ -461,7 +461,7 @@ void blk_mq_free_request(struct request *rq) >> e->type->ops.mq.finish_request(rq); >> if (rq->elv.icq) { >> put_io_context(rq->elv.icq->ioc); >> - rq->elv.icq = NULL; >> + memset(&rq->elv, 0, sizeof(rq->elv)); >> } >> } > > This looks like a BFQ problem, this should not be necessary. Paolo, > you're calling your own prepare request handler from the insert > as well, and your prepare request does nothing if rq->elv.icq == NULL. I sent the patch anyway, since it's kind of a robustness improvement, I'd hope. If you fix BFQ also, please add: Reported-by: Oleksandr Natalenko Root-caused-by: Kees Cook :) I gotta task-switch to other things! Thanks for the pointers, and thank you Oleksandr for providing the reproducer! -Kees -- Kees Cook Pixel Security