Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp31806imm; Fri, 21 Sep 2018 17:29:18 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYKrCNZaLtH/arN8LRU0WQg018We9rQ3orYj7aZ3jR5438NPE0e7dIAodDvyfGrrWqcz42L X-Received: by 2002:a62:5882:: with SMTP id m124-v6mr133542pfb.249.1537576158324; Fri, 21 Sep 2018 17:29:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537576158; cv=none; d=google.com; s=arc-20160816; b=AMNVtg+U6FSMLRkVTRKSO0QnP4vZ1z5p4ilR0m3t5clZ/pPbs679g1l61ozM14EAD5 5/XMY4PprHBsGCYQpfzv0Mc5R7sq3agXOpdTkoDxR4w9JB8WzP6L0cKnpiZQ55S7Uwk+ s+Kvcdlk1z1gRUXcUTiODqhE2Pl8odG7Zw0dKujBuneqSNJmyulKIeRG5WLl2SffjvZn SGLXY0JctpPyw3D1H2biPI/j4VJ68H0rMi+EyXGzSwpIF+TplYV98vpjzHcXW+bv/H5E 2XuVRupQyn3KKBNQ9xpWJqNtzhbjMyt1gTAVlShFn/WFzfalaP5FrJP7LfZMOfuoTQWy 7+Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=MsoZnGHkwp9K2Bnff0BQSwYX9N4boQhlAb5jBXeYlIY=; b=KbRLjpI4nZXnN4tjp2tiX7J/VURCA+1+U64gF5B5ljdcwC49cYRAEhOF2i5ir+FcoM fz/InhxrHrIX0jhq1//BYtv3VCkTiARozsQTg6ZTh67+4BCBxiT+/hXhv57+jMUZFcHF nFwA+9ktnmREC4JtNeL2tnvr09MYvSQH7yXBvlRqNcuzUaz289gtbhr76C5cEc2rIUrN 3b+i6RYgzB4u3cw2tABR2Ko5bx64BPz4T9E88qiOvWvkVZSmVFXAhf71R04sZKUcj+2J 8v+0Wia2MPTaf91KPVgSOpG7Q0gPVHi7FjBSonNhhKdpzXQ3NgWuJvurzsAAWnEbtVc+ F18Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x21-v6si28867318pll.24.2018.09.21.17.29.03; Fri, 21 Sep 2018 17:29:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392018AbeIVGSS (ORCPT + 99 others); Sat, 22 Sep 2018 02:18:18 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:44081 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391850AbeIVGKm (ORCPT ); Sat, 22 Sep 2018 02:10:42 -0400 Received: from [2a02:8011:400e:2:cbab:f00:c93f:614] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1g3Vds-0008Bd-QI; Sat, 22 Sep 2018 01:19:24 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1g3Vdn-0000r6-Kv; Sat, 22 Sep 2018 01:19:19 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Daniel Shapira" , "Kees Cook" , "Piotr Gabriel Kosinski" , "Jens Axboe" Date: Sat, 22 Sep 2018 01:15:42 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 18/63] sr: pass down correctly sized SCSI sense buffer In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:cbab:f00:c93f:614 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.58-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jens Axboe commit f7068114d45ec55996b9040e98111afa56e010fe upstream. We're casting the CDROM layer request_sense to the SCSI sense buffer, but the former is 64 bytes and the latter is 96 bytes. As we generally allocate these on the stack, we end up blowing up the stack. Fix this by wrapping the scsi_execute() call with a properly sized sense buffer, and copying back the bits for the CDROM layer. Reported-by: Piotr Gabriel Kosinski Reported-by: Daniel Shapira Tested-by: Kees Cook Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Jens Axboe [bwh: Despite what the "Fixes" field says, a buffer overrun was already possible if the sense data was really > 64 bytes long. Backported to 3.16: - We always need to allocate a sense buffer in order to call scsi_normalize_sense() - Remove the existing conditional heap-allocation of the sense buffer] Signed-off-by: Ben Hutchings --- drivers/scsi/sr_ioctl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -188,30 +188,25 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack struct scsi_device *SDev; struct scsi_sense_hdr sshdr; int result, err = 0, retries = 0; - struct request_sense *sense = cgc->sense; + unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE]; SDev = cd->device; - if (!sense) { - sense = kmalloc(SCSI_SENSE_BUFFERSIZE, GFP_KERNEL); - if (!sense) { - err = -ENOMEM; - goto out; - } - } - retry: if (!scsi_block_when_processing_errors(SDev)) { err = -ENODEV; goto out; } - memset(sense, 0, sizeof(*sense)); + memset(sense_buffer, 0, sizeof(sense_buffer)); result = scsi_execute(SDev, cgc->cmd, cgc->data_direction, - cgc->buffer, cgc->buflen, (char *)sense, + cgc->buffer, cgc->buflen, sense_buffer, cgc->timeout, IOCTL_RETRIES, 0, NULL); - scsi_normalize_sense((char *)sense, sizeof(*sense), &sshdr); + scsi_normalize_sense(sense_buffer, sizeof(sense_buffer), &sshdr); + + if (cgc->sense) + memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense)); /* Minimal error checking. Ignore cases we know about, and report the rest. */ if (driver_byte(result) != 0) { @@ -268,8 +263,6 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack /* Wake up a process waiting for device */ out: - if (!cgc->sense) - kfree(sense); cgc->stat = err; return err; }