Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1321560imm; Wed, 23 May 2018 14:08:55 -0700 (PDT) X-Google-Smtp-Source: AB8JxZppX6Y41sGeVjtkposp/s/rbpatgqnMigwnqXTqSucln+AiBBqqbsqIgUA3eRp/ru0ttu/p X-Received: by 2002:a63:304:: with SMTP id 4-v6mr351339pgd.290.1527109734977; Wed, 23 May 2018 14:08:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527109734; cv=none; d=google.com; s=arc-20160816; b=rDOH/vilceQiTEUw1daSzcKhZQw8JdB6BVoj3vSB3CHQYUgDlWe8J2nLng2gKx403G hK9bWTEVc/CJhmNy1OKmKxM1tACh0NryBsLFcywEJruZCVo/VdtoOpvKv67df/VG6W2g yEgoeRZ8o4JXPge5r+HDlItcK8BSceGsiVf5FB1Lf917u1JOjDp1dzc5Tt8ZA9HR6hvB DSiBpdU84N427L2F6WwiQ6ekqwodvNi1fdGMNwTcnfU4ZVf56Mc5kenz/RoWqnp0GQ+1 5aGrPjF5CCLy+c9xlh4SwAbb+7F7CwNACExCInMETNorpkmHVl9xEo0O5lP83x1mc2lt cVzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=1k8P3kkmtcDPZkEBLIISHFcA5ymgxfIfcPLzGg09flI=; b=uo/6PKWTOgbMwJnirG88Azv3HqQ7XJFWBWYRtUPylGOA8TMo69ZmtqFpBpauBLPtmn o1S/X3oH3FAWVwrRSE1Bkde5kpGVusgDPFuuiEVW6ELZ2Bm8sG26Vk/MVLajFGrNM6+o DDcZ3fUfgxvdtUUmVEMSZqsbtRzMLZrV/lb760vqbDHGyXLowDj0E+3ljTQDcjwe7KEw HVWmM3alK5B/+jhIMY8Vv2v71AfGfPeWqFDG4jZYzwePRNr/f7aGFClymyn2s66JoHmM NP2wyuSCvaRMB/CBgzjCsR4p4gYVrw+X6kOpN2Qrz+cSWP0BAk/7ZVoHPI80Pf2Xfusm 3+9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=aEpFx6yX; dkim=fail header.i=@chromium.org header.s=google header.b=JEmjUIi8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si20287216pld.450.2018.05.23.14.08.40; Wed, 23 May 2018 14:08:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=aEpFx6yX; dkim=fail header.i=@chromium.org header.s=google header.b=JEmjUIi8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935064AbeEWVIY (ORCPT + 99 others); Wed, 23 May 2018 17:08:24 -0400 Received: from mail-ua0-f194.google.com ([209.85.217.194]:36033 "EHLO mail-ua0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934230AbeEWVIV (ORCPT ); Wed, 23 May 2018 17:08:21 -0400 Received: by mail-ua0-f194.google.com with SMTP id b25-v6so15751355uak.3 for ; Wed, 23 May 2018 14:08:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=1k8P3kkmtcDPZkEBLIISHFcA5ymgxfIfcPLzGg09flI=; b=aEpFx6yXyWibmRx3NFxA3Y/f/3RL7DKAT8QHRowXRGU3f3RzBw7xWiIKe/vCT5TZkw 9N7x3vr8rVhlAMYvLJkXnsZ75WV/IY8Mf95TuONsF6cZeEweUx5ufauGHyZuEVNzL0PL LejJmz/a/h22hxhVxZcjVcUogs+i9n7E2RmfZw6/gemMm2OHHwGHxjYLRoPXvm7aqx2D oACSND8ZWSNl/2s4QeR1tbqeXALnzJzP+2uxaPm0+qupgoJXZxZr2995107H19Hq7V79 ltNhMWMx114iKTSi0418Vbx6mX0RCe45/x07t5PF3hfa74aCzAgs0aq3vl0p3QnbhUBW Eqcg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=1k8P3kkmtcDPZkEBLIISHFcA5ymgxfIfcPLzGg09flI=; b=JEmjUIi8WbBxsH1MrGHaNRJOAz65WLY07XcLl7D3ncFELeMjhNE50UkOpXfZSQ4FPS /bgbvtSrHspor+n2ZhRcU2mYZNN7oHu8afPyXVa5NoX+dTLli0hmBfrbTjGRGxfMQKXA OJp1qEz0FH52xK5tRnShCjg+V9A6eiw8R83Aw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=1k8P3kkmtcDPZkEBLIISHFcA5ymgxfIfcPLzGg09flI=; b=XFEECsXzM3Rob9ACXKLWClblzMUPmXGTDRTC/uyj3cZFr1JTolThv0FbDqroXkG4EO qDYWH4MazRV0kteYGpso/MT0qr5392E12eSrYo188MBbhCZOkutZfzKq9PcQsgNbGPhA +4kpo+ixPUdZn6VJiJfU+0BSHwMaiPwVlr2rdpoI08y6XzCX1fQmY0uz4soN3QHEnV/w qO/WdIxSGjDAYI6CUfBpQQ+s7IL9M/wtXG5Pj4MbYN3bF1zg3+nh6zDKae6ZSDDY3uZm OUPLoaI4DkTkD/PqoyheA6T0YYFKLUoyTrP97YDGARrXgJyp7/a99KniPvSLe2jqht9Y fqGw== X-Gm-Message-State: ALKqPwcLIhBX3s3wiTGmjLo76ZazqiLAZP/wfGFTY2Zmp1RrYuj3j2YY Sg3oC3pGglOq2vm3Q84aCZ4G90xKcdDXtD0yhgXzBQ== X-Received: by 2002:ab0:2508:: with SMTP id j8-v6mr3037177uan.83.1527109700552; Wed, 23 May 2018 14:08:20 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1f:bd1:0:0:0:0:0 with HTTP; Wed, 23 May 2018 14:08:19 -0700 (PDT) In-Reply-To: <7de525d4-52f4-80f2-1f55-a3a5c37d7bf9@cogentembedded.com> References: <20180522181512.39316-1-keescook@chromium.org> <20180522181512.39316-7-keescook@chromium.org> <7de525d4-52f4-80f2-1f55-a3a5c37d7bf9@cogentembedded.com> From: Kees Cook Date: Wed, 23 May 2018 14:08:19 -0700 X-Google-Sender-Auth: cu8eg49o3-RiHiZjQeh0mmyTZJ8 Message-ID: Subject: Re: [PATCH 6/6] scsi: Check sense buffer size at build time To: Sergei Shtylyov Cc: Jens Axboe , "Martin K. Petersen" , James Bottomley , Tejun Heo , Borislav Petkov , "David S. Miller" , "Manoj N. Kumar" , "Matthew R. Ochs" , Uma Krishnan , linux-block , linux-ide@vger.kernel.org, linux-scsi@vger.kernel.org, LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 23, 2018 at 1:25 AM, Sergei Shtylyov wrote: > Hello! > > On 5/22/2018 9:15 PM, Kees Cook wrote: > >> To avoid introducing problems like those fixed in commit f7068114d45e >> ("sr: pass down correctly sized SCSI sense buffer"), this creates a macro >> wrapper for scsi_execute() that verifies the size of the sense buffer >> similar to what was done for command string sizes in commit 3756f6401c30 >> ("exec: avoid gcc-8 warning for get_task_comm"). >> >> Another solution could be to add another argument to scsi_execute(), >> but this function already takes a lot of arguments and Jens was not fond >> of that approach. As there was only a pair of dynamically allocated sense >> buffers, this also moves those 96 bytes onto the stack to avoid triggering >> the sizeof() check. >> >> Signed-off-by: Kees Cook >> --- >> drivers/scsi/scsi_lib.c | 6 +++--- >> include/scsi/scsi_device.h | 12 +++++++++++- >> 2 files changed, 14 insertions(+), 4 deletions(-) >> > [...] >> >> diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h >> index 7ae177c8e399..1bb87b6c0ad2 100644 >> --- a/include/scsi/scsi_device.h >> +++ b/include/scsi/scsi_device.h >> @@ -426,11 +426,21 @@ extern const char *scsi_device_state_name(enum >> scsi_device_state); >> extern int scsi_is_sdev_device(const struct device *); >> extern int scsi_is_target_device(const struct device *); >> extern void scsi_sanitize_inquiry_string(unsigned char *s, int len); >> -extern int scsi_execute(struct scsi_device *sdev, const unsigned char >> *cmd, >> +extern int __scsi_execute(struct scsi_device *sdev, const unsigned char >> *cmd, >> int data_direction, void *buffer, unsigned >> bufflen, >> unsigned char *sense, struct scsi_sense_hdr >> *sshdr, >> int timeout, int retries, u64 flags, >> req_flags_t rq_flags, int *resid); >> +/* Make sure any sense buffer is the correct size. */ >> +#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense, >> \ >> + sshdr, timeout, retries, flags, rq_flags, resid) \ >> +({ \ >> + BUILD_BUG_ON((sense) != NULL && \ >> + sizeof(sense) != SCSI_SENSE_BUFFERSIZE); \ > > > This would only check the size of the 'sense' pointer, no? Correct. Passing in a variable that was declared as: char sense[SCSI_SENSE_BUFFERSIZE]; would pass this check. Dynamically allocated would not (and we don't have any cases of that left after the prior patch in this series), and it should cast improper casts. If people don't like this bit of robustness vs complexity/limit, I'm happy to leave it off the series. -Kees -- Kees Cook Pixel Security