Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1908972imm;
        Tue, 22 May 2018 11:16:21 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrrQt28gNciU/PuHEuGhfG6XV4QVYJk/Ep9WuaXnIFzBmHrqXlRC7AfX05vModa/dD3/y9D
X-Received: by 2002:a17:902:9a4b:: with SMTP id x11-v6mr26211211plv.176.1527012981857;
        Tue, 22 May 2018 11:16:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527012981; cv=none;
        d=google.com; s=arc-20160816;
        b=OYUJ60Ck6xK59vvnaigm/Poq8VEyKLY0aBN4Fq+swZ9b9z1/i1F2tytX/B6/JxPSyA
         OCN4pAxgoZHjHO7SenUE2ZI4aLFJ5JnkKC7Szb6BfZt1I2y3R6WeZcjcZVdT45dos/TS
         z5t81i4pJPjMXyg+Ar2g61y4uZULwXoQidkfym1hh4cbGLNZ7SVpnYB/xj4EWbas7VoQ
         pR/3ZUg0S2hMRE9mnwoxnVlx2tnc38t204T+V2yuond+htrEmBJFXXbUcZPp3jTVuoZe
         jQoJYlonaJQkv0/RtGOzmddcwkC6i8asgwd7BKnnqPC+GrIGIvSsWNhTpeGrMI+qxicc
         7LWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=lJag4coE7iCMp1DSMdlDISOHos375cWKPRK28tZ9c1M=;
        b=iVUU1V3lRjId/eqyP87n5EFBY1k1Z0JOQH2pzZOFLjwBpppB+aG5jC+y/x1ijF2VFO
         lvjK8Apj6XN968eKaPZOHzwZpnRvXA1GCdUI1QIz0SZMRBNUH6xoQJrHpRtGjKRGiNsP
         7SniEFhpli78wz5LRwCRtW3oFSQTK3eEBxp+uT4Vdst+bbx9C6Z99Xfsr8onas6JkUVd
         /+5z2bGKy/Xcc/RnuwZlH7SNB3XJda0ojDSiHkoq3BD/fiG4lcLAuMNrgNecmOKw6MSw
         QFyGQ6eIY/7D3+JtDwnpHNfm1Of5i2wU6ain30vlsX7bFopV4HTKzryO8NAPFFFVSeuy
         jkjA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=NEFD8WBO;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i15-v6si611042pgr.566.2018.05.22.11.16.07;
        Tue, 22 May 2018 11:16:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=NEFD8WBO;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751750AbeEVSPg (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Tue, 22 May 2018 14:15:36 -0400
Received: from mail-pl0-f65.google.com ([209.85.160.65]:46183 "EHLO
        mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751656AbeEVSP0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 22 May 2018 14:15:26 -0400
Received: by mail-pl0-f65.google.com with SMTP id 30-v6so11369354pld.13
        for <linux-kernel@vger.kernel.org>; Tue, 22 May 2018 11:15:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=lJag4coE7iCMp1DSMdlDISOHos375cWKPRK28tZ9c1M=;
        b=NEFD8WBO4MuZhhOynI62Lb8ZEw3BuqXwLOBhr1TuEoGwq2EK8Od3yrxba/qZpmnkoP
         FZhqpfyjdsW+lXUmHQIK5ibr2Mr5dLuuCR7gxpqGbOpmgI3d8uvXv6hDJxjzrl6fTFUN
         IMDdjohQFgraZlUrbwMYkVzrmzRXVt/hVPA70=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=lJag4coE7iCMp1DSMdlDISOHos375cWKPRK28tZ9c1M=;
        b=Ng4THkw6CnWmdTmHJJMCr08s6ywZU12bBUSLraEqy83jWvL+xqqiK5p8ocsDf+o5xx
         aGZymCO0Xg7DYiADnCyPcrhOyEyZR6k9vfPiFz6YgFVlHsunU0ZheSp2leQkyAGgbm5c
         9C3aenMoHOLDhEIQuws+kT26h1H/GRkgGwrH1QPvuBwXFDQ+XueQgd7YbHTSvZzbKdO3
         mWkspFo5IuC+DGYar6Uc0N7T8D1szlQZNTcjW54Db03Rau6QvXP51VHwhd65Gh593C2/
         9DnRWwcGEbVsUSnmAif00Xczez6yhNfW4lHZSvOYlj3KU5Tw1BzgDa/nRtaNSO8EOTvO
         u98g==
X-Gm-Message-State: ALKqPwfOMiweRcSllXNIW59HcBinfXGQHlXshjy73I+34hTlbjehzUU0
        B96uG2pFXHnDFmqwFCEqzmEHKQ==
X-Received: by 2002:a17:902:7582:: with SMTP id j2-v6mr25715717pll.65.1527012926312;
        Tue, 22 May 2018 11:15:26 -0700 (PDT)
Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
        by smtp.gmail.com with ESMTPSA id w134-v6sm28934638pfd.187.2018.05.22.11.15.21
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 22 May 2018 11:15:24 -0700 (PDT)
From:   Kees Cook <keescook@chromium.org>
To:     Jens Axboe <axboe@kernel.dk>
Cc:     Kees Cook <keescook@chromium.org>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        James Bottomley <James.Bottomley@hansenpartnership.com>,
        Tejun Heo <tj@kernel.org>, Borislav Petkov <bp@alien8.de>,
        "David S. Miller" <davem@davemloft.net>,
        "Manoj N. Kumar" <manoj@linux.vnet.ibm.com>,
        "Matthew R. Ochs" <mrochs@linux.vnet.ibm.com>,
        Uma Krishnan <ukrishn@linux.vnet.ibm.com>,
        linux-block@vger.kernel.org, linux-ide@vger.kernel.org,
        linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 6/6] scsi: Check sense buffer size at build time
Date:   Tue, 22 May 2018 11:15:12 -0700
Message-Id: <20180522181512.39316-7-keescook@chromium.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180522181512.39316-1-keescook@chromium.org>
References: <20180522181512.39316-1-keescook@chromium.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

To avoid introducing problems like those fixed in commit f7068114d45e
("sr: pass down correctly sized SCSI sense buffer"), this creates a macro
wrapper for scsi_execute() that verifies the size of the sense buffer
similar to what was done for command string sizes in commit 3756f6401c30
("exec: avoid gcc-8 warning for get_task_comm").

Another solution could be to add another argument to scsi_execute(),
but this function already takes a lot of arguments and Jens was not fond
of that approach. As there was only a pair of dynamically allocated sense
buffers, this also moves those 96 bytes onto the stack to avoid triggering
the sizeof() check.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/scsi/scsi_lib.c    |  6 +++---
 include/scsi/scsi_device.h | 12 +++++++++++-
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index e9b4f279d29c..718c2bec4516 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -238,7 +238,7 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason)
 
 
 /**
- * scsi_execute - insert request and wait for the result
+ * __scsi_execute - insert request and wait for the result
  * @sdev:	scsi device
  * @cmd:	scsi command
  * @data_direction: data direction
@@ -255,7 +255,7 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason)
  * Returns the scsi_cmnd result field if a command was executed, or a negative
  * Linux error code if we didn't get that far.
  */
-int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
+int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
 		 int data_direction, void *buffer, unsigned bufflen,
 		 unsigned char *sense, struct scsi_sense_hdr *sshdr,
 		 int timeout, int retries, u64 flags, req_flags_t rq_flags,
@@ -309,7 +309,7 @@ int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
 
 	return ret;
 }
-EXPORT_SYMBOL(scsi_execute);
+EXPORT_SYMBOL(__scsi_execute);
 
 /*
  * Function:    scsi_init_cmd_errh()
diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
index 7ae177c8e399..1bb87b6c0ad2 100644
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -426,11 +426,21 @@ extern const char *scsi_device_state_name(enum scsi_device_state);
 extern int scsi_is_sdev_device(const struct device *);
 extern int scsi_is_target_device(const struct device *);
 extern void scsi_sanitize_inquiry_string(unsigned char *s, int len);
-extern int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
+extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
 			int data_direction, void *buffer, unsigned bufflen,
 			unsigned char *sense, struct scsi_sense_hdr *sshdr,
 			int timeout, int retries, u64 flags,
 			req_flags_t rq_flags, int *resid);
+/* Make sure any sense buffer is the correct size. */
+#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense,	\
+		     sshdr, timeout, retries, flags, rq_flags, resid)	\
+({									\
+	BUILD_BUG_ON((sense) != NULL &&					\
+		     sizeof(sense) != SCSI_SENSE_BUFFERSIZE);		\
+	__scsi_execute(sdev, cmd, data_direction, buffer, bufflen,	\
+		       sense, sshdr, timeout, retries, flags, rq_flags,	\
+		       resid);						\
+})
 static inline int scsi_execute_req(struct scsi_device *sdev,
 	const unsigned char *cmd, int data_direction, void *buffer,
 	unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout,
-- 
2.17.0