Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2197085imm; Mon, 28 May 2018 03:44:51 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoEWv37Uqmqg+GgeK/sh/DiGulLdH04FhkvBoeVa8xkVpF7Vl8AAEC5YArNUEPchzkSemfN X-Received: by 2002:a63:338c:: with SMTP id z134-v6mr9961713pgz.171.1527504291581; Mon, 28 May 2018 03:44:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527504291; cv=none; d=google.com; s=arc-20160816; b=O+/pcP4dkUR9elRLK+nwX16DBxz89AlyHm+jP5UkxagYVYXcpeUGeRekxYyUbviPeP 4C9FIeWYsbsYVAyuw1FGQ2WKLdJ5ui6Rt5QK3jqs634MGFtDiQiyixt8GK98YlQo8SD/ 2TO06YyiqwIZELGj2F/zQgIe2H8ZtOkQ9q89VirT4t9yJ04Gy1JR3i/UtzRSklkeNyUk PARqY29bt4LSPPKaqIxSapZowUgWWf2xMH/qDY6B7jMW5jG1bWJACbYJmq8el4DP/i4M +JUqm60Sb2HR78iVacCXYrQM4cxSCDkzk7mxaXuwQP3pgjqc6upd0MCtwUIyEh9/5Ptf Fe8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=6SuPlHP8hGWmD8AOH3Pr/w85nP+uSyVVVIhHvnq/fgM=; b=I50MH+/leeAfbi0ElZQg5nKDJM+ukB4P0WkqfKwg+Qv3sUnptAtwhhKLwES60lbz58 TTQn56lvVRsFCSm6kttCo5F5SUCURz9j7kIZz8apAxQA11fR89ct/eAU3D/4fF+U3clM 0AMwg+G8H7Q2PB3xUywSPOifUskRhL/2g9nqqI79ygxvhGrohrrB7loSo/twawxuv9i1 mb7VtRGAltYeTE6/fpuFKTjGiG6chTfjnbV5B1ZsG7Kbim3vWr5+26pXuexLb/gVj2J2 39JZKczq5oPlOLF/VHWQYp2AV1XRf2QVX78KaQqZrYexPpk6OGTncuh8Tlo6DKamENHT mCpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xVfWjbsp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d5-v6si2836706pln.567.2018.05.28.03.44.37; Mon, 28 May 2018 03:44:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xVfWjbsp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S937438AbeE1KnP (ORCPT + 99 others); Mon, 28 May 2018 06:43:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:33444 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932350AbeE1KmC (ORCPT ); Mon, 28 May 2018 06:42:02 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 49140208A2; Mon, 28 May 2018 10:42:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527504121; bh=4U+h47o8QJKU29By1e4D1EqJJMXrHEeHV9cT4DpFe/o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xVfWjbspSl4do1G/34OPNOxdVSYXv8vZ+cM72kG1fnkzeIapTfBXXtQIjpn5Fy4EL NMTIHlHb05O++hzLYCc6IaCyNOQe0jKwO9sHaLzX5i+mGSzGdzgV+iah5t6S0ybhXb b/39BRICV+H01xvyi2n266dOnJiJRdjKCGCeQgZU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Piotr Gabriel Kosinski , Daniel Shapira , Kees Cook , Jens Axboe Subject: [PATCH 4.14 021/496] sr: pass down correctly sized SCSI sense buffer Date: Mon, 28 May 2018 11:56:46 +0200 Message-Id: <20180528100320.483371030@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100319.498712256@linuxfoundation.org> References: <20180528100319.498712256@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jens Axboe commit f7068114d45ec55996b9040e98111afa56e010fe upstream. We're casting the CDROM layer request_sense to the SCSI sense buffer, but the former is 64 bytes and the latter is 96 bytes. As we generally allocate these on the stack, we end up blowing up the stack. Fix this by wrapping the scsi_execute() call with a properly sized sense buffer, and copying back the bits for the CDROM layer. Cc: stable@vger.kernel.org Reported-by: Piotr Gabriel Kosinski Reported-by: Daniel Shapira Tested-by: Kees Cook Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/sr_ioctl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack struct scsi_device *SDev; struct scsi_sense_hdr sshdr; int result, err = 0, retries = 0; + unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL; SDev = cd->device; + if (cgc->sense) + senseptr = sense_buffer; + retry: if (!scsi_block_when_processing_errors(SDev)) { err = -ENODEV; @@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack } result = scsi_execute(SDev, cgc->cmd, cgc->data_direction, - cgc->buffer, cgc->buflen, - (unsigned char *)cgc->sense, &sshdr, + cgc->buffer, cgc->buflen, senseptr, &sshdr, cgc->timeout, IOCTL_RETRIES, 0, 0, NULL); + if (cgc->sense) + memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense)); + /* Minimal error checking. Ignore cases we know about, and report the rest. */ if (driver_byte(result) != 0) { switch (sshdr.sense_key) {