Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4716143pxb; Tue, 2 Nov 2021 14:37:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxw0yEp4bSLcN910pg7wy53A1PqbeKMgFndcB7nZogm2CoLK8HToAZLVcIq1R4whKD6h5SO X-Received: by 2002:a05:6402:2753:: with SMTP id z19mr24324861edd.143.1635889026704; Tue, 02 Nov 2021 14:37:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635889026; cv=none; d=google.com; s=arc-20160816; b=dzeqTw/88DLulUWEkSRlHdSd0J5BncGEgKMNTLMKYKp6MTYRGT2q6IgZaU9KnN17bz Jk+dHjT2tqea70IMQEpuHaQ+GY/QdOQCOB70pO7/m09tUIner7wS0fO0yGhqP++dL7sZ OK+Acri2djs5YbAlRXEQjVYJX4Ti400D7hhzP6Dy/vLScb/J2UbEu2+6hE1D5TDEXd9v Duk630C5148LMjKkpzDQXOq/M7tweukgPx8Srf8bJ38iKK1g+W7scPpgGEn6WBl7oalc Ko0SXe2mgn4KD5I5KMRG5SUutywqYtKoUrFJVR6mOodadmQbis3LXPU5Y2u9jrSxmHwQ PnFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:reply-to; bh=kNT1D3v349D2bICnF4dmd9HsdyJHZZvcLqyP9rukVCU=; b=hCMq6CUfI91aIozosZXfZRRnYf5+R+vdaxijxrQDLItJzmh5vA+rRzjbLM6hjZfo4t ItW7pTKgEWGwfZpmtHf/lKtnbeyC82fApGC4dSblD1F81Ar8DVdVstj72/pQfpALAcis 0uhBfqfYZbCjGV4439ImWxP2K6mApZ/dBI+DwdjwCIDFutLIFNk3P1Dc60w+DqqdB8rR Rtu5ulcwy63eLJtcLPO4OQ38J465BZWX7WBtomMjRU5NvtQ3aGmkUnJr1zn4R/HnlxR7 KksaEGbkVdfDiGBDeMOZbWqGl3gqPHF8PNAaMkhiopTqfp30t0gxRGQRlYXPQJSTHzLm x+cw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 16si205157ejd.683.2021.11.02.14.36.42; Tue, 02 Nov 2021 14:37:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231311AbhKBVg3 (ORCPT + 99 others); Tue, 2 Nov 2021 17:36:29 -0400 Received: from mail-1.ca.inter.net ([208.85.220.69]:36933 "EHLO mail-1.ca.inter.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231254AbhKBVg2 (ORCPT ); Tue, 2 Nov 2021 17:36:28 -0400 Received: from mp-mx11.ca.inter.net (mp-mx11.ca.inter.net [208.85.217.19]) by mail-1.ca.inter.net (Postfix) with ESMTP id 9C6832EA2CA; Tue, 2 Nov 2021 17:33:52 -0400 (EDT) Received: from mail-1.ca.inter.net ([208.85.220.69]) by mp-mx11.ca.inter.net (mp-mx11.ca.inter.net [208.85.217.19]) (amavisd-new, port 10024) with ESMTP id VzrVROEuocBK; Tue, 2 Nov 2021 17:33:51 -0400 (EDT) Received: from [192.168.48.23] (host-45-58-208-241.dyn.295.ca [45.58.208.241]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: dgilbert@interlog.com) by mail-1.ca.inter.net (Postfix) with ESMTPSA id 8A96C2EA06A; Tue, 2 Nov 2021 17:33:51 -0400 (EDT) Reply-To: dgilbert@interlog.com Subject: Re: [PATCH] scsi: core: initialize cmd->cmnd before it is used To: Bart Van Assche , Tadeusz Struk , linux-scsi@vger.kernel.org Cc: Christoph Hellwig , "James E . J . Bottomley" , "Martin K . Petersen" , linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+5516b30f5401d4dcbcae@syzkaller.appspotmail.com References: <20211101192417.324799-1-tadeusz.struk@linaro.org> <4cfa4049-aae5-51db-4ad2-b4c9db996525@acm.org> <0024e0e1-589c-e2cd-2468-f4af8ec1cb95@linaro.org> <8fbb619a-37b3-4890-37e0-b586bdee49d6@interlog.com> <17a1b72e-2c2a-8492-cb92-4dec36a6531d@acm.org> From: Douglas Gilbert Message-ID: Date: Tue, 2 Nov 2021 17:33:51 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: <17a1b72e-2c2a-8492-cb92-4dec36a6531d@acm.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-11-01 11:06 p.m., Bart Van Assche wrote: > On 11/1/21 18:56, Douglas Gilbert wrote: >> On 2021-11-01 4:20 p.m., Bart Van Assche wrote: >>> One of the functions in the call stack in the first message of this email >>> thread is sg_io(). I am not aware of any documentation that specifies whether >>> it is valid to set cmd_len in the sg_io header to zero. My opinion is that >>> the SG_IO implementation should either reject cmd_len == 0 or set cmd_len >>> to a valid value if it is zero. >> >> For the sg driver in production, the v3 interface users (including >> ioctl(, SG_IO,) ) have this check: >> >>         if ((!hp->cmdp) || (hp->cmd_len < 6) || (hp->cmd_len > sizeof (cmnd))) { >>                  sg_remove_request(sfp, srp); >>                  return -EMSGSIZE; >>          } > > Hi Doug, > > Thanks for having taken a look. I found the above check in sg_new_write(). To me > that function seems to come from a code path that is unrelated to sg_io(), the > function shown in the call stack in the email at the start of this thread. Maybe > I overlooked something but I haven't found a minimum size check for hdr->cmd_len > in sg_io() before the blk_execute_rq() call. Should such a check perhaps be added? I guess it came from ioctl(, SG_IO, ) and I found no lower bound check when I looked in lk 5.15.0 . No-one has complained to me about the hp->cmd_len < 6 check in the sg driver ***. So I think such a check may be useful in the scsi_fill_sghdr_rq() function in drivers/scsi/scsi_ioctl.c . And a return of -EMSGSIZE seems to be tailor made for this situation. Doug Gilbert *** It is possible a vendor specific command could be between 1 and 5 bytes long, but that would probably be an unwise choice.