Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2216160imm; Mon, 28 May 2018 04:07:30 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqykNa59vdscAewO51LLQ+Tn47OfEaoMbHK+O/JvQRSza93zMSZhwVzKtYpfe0eWUURU+5f X-Received: by 2002:a17:902:848e:: with SMTP id c14-v6mr13106216plo.129.1527505650609; Mon, 28 May 2018 04:07:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527505650; cv=none; d=google.com; s=arc-20160816; b=buPaiajTgi1Qc6rIkYSIcZlSbpGnA5ouI8eJtjwGZGv2hv6kC13CJQYxSKoKjsRCGC nPiZ2le65HQXALdpPoQSxujaGo1y8Stq9nIwr52gAg/50ue5yxMBb3QUF9tHgY5TRjWc XtkrlZ+IuaKP1poHNf5SkDtN5GvaQgcOkc+EsLgXHNutclLS9azS8KWFlTt6rVpSjxNT dvt/f/PcTfXAVwFXbub3OYhTlY3RmSPDn7MEhNDmYZ6gwAC20yccQLu4e2+uvzLb77NJ XLhVwU28kuK6leO0QnRQzkzmXk/rv//74tJUQwZZ05k6yNgp7JXrjXc8yStsgqVIPKK/ uCBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=4WMaru3T14ijmHgdoZm1p104EsRc3qqpRKjwllyCpWU=; b=eeNzoBU2WtWt5NcDzGtmjOhWsYn1rp7+zbJaLfwar9Lm4zJLzh1+oCg7IMMyFgWV6i feymyyplGakj2UHFf8p4n9pfDMleR7Og7rvQ579zrANDnraKSpSP69n81ZQ6rjvVGLox E9kQ6h+pgOd7tv259LtcMh0RUM2FUMgl6ezHLGIT3/QX6cOaeA7Ug+ZcsnCu+K+ACjV+ KLPIEUFvdpFa5NBOZM7tjP8dp2RfKm7xJD7jiGPqVE/qhHyQFdZq6VUhUJSCXbysajaX pIBfGtFfh/bfHYZjRhZGsPgfbftPRsCm4yCacm0SCkETQFQKedhgb9UvCM//rV9rJdHm 3Ezw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OOZI69O+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v7-v6si29158856plp.304.2018.05.28.04.07.16; Mon, 28 May 2018 04:07:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OOZI69O+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1423106AbeE1LFU (ORCPT + 99 others); Mon, 28 May 2018 07:05:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:52242 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1422945AbeE1LFK (ORCPT ); Mon, 28 May 2018 07:05:10 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DD8372086D; Mon, 28 May 2018 11:05:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527505509; bh=jjP52qxdNaZBs+h/oOEpav521z9wJrxJAh4qbctNtQA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OOZI69O+KWBFeBkOx+1jfPuTxSGEdOayEGkxjY/gpW1xLNnTeG1BYDqztMoH8aOez jl2uWnuvEyvvMWEE+FTpu6MhbhwpL6s3+pAFgL2ugJlWD3MiXOfmEc5BT+ARBtSTZF u/geGQeBaFuYgJX1pgygfNpWjUcluBTA31PPXuXI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Piotr Gabriel Kosinski , Daniel Shapira , Kees Cook , Jens Axboe Subject: [PATCH 4.16 029/272] sr: pass down correctly sized SCSI sense buffer Date: Mon, 28 May 2018 12:01:02 +0200 Message-Id: <20180528100243.141095651@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100240.256525891@linuxfoundation.org> References: <20180528100240.256525891@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jens Axboe commit f7068114d45ec55996b9040e98111afa56e010fe upstream. We're casting the CDROM layer request_sense to the SCSI sense buffer, but the former is 64 bytes and the latter is 96 bytes. As we generally allocate these on the stack, we end up blowing up the stack. Fix this by wrapping the scsi_execute() call with a properly sized sense buffer, and copying back the bits for the CDROM layer. Cc: stable@vger.kernel.org Reported-by: Piotr Gabriel Kosinski Reported-by: Daniel Shapira Tested-by: Kees Cook Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/sr_ioctl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack struct scsi_device *SDev; struct scsi_sense_hdr sshdr; int result, err = 0, retries = 0; + unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL; SDev = cd->device; + if (cgc->sense) + senseptr = sense_buffer; + retry: if (!scsi_block_when_processing_errors(SDev)) { err = -ENODEV; @@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack } result = scsi_execute(SDev, cgc->cmd, cgc->data_direction, - cgc->buffer, cgc->buflen, - (unsigned char *)cgc->sense, &sshdr, + cgc->buffer, cgc->buflen, senseptr, &sshdr, cgc->timeout, IOCTL_RETRIES, 0, 0, NULL); + if (cgc->sense) + memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense)); + /* Minimal error checking. Ignore cases we know about, and report the rest. */ if (driver_byte(result) != 0) { switch (sshdr.sense_key) {