| Message ID | 20180720164637.21644-2-kleber.souza@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix for CVE-2018-11506 | expand |
On 20/07/18 17:46, Kleber Sacilotto de Souza wrote: > From: Jens Axboe <axboe@kernel.dk> > > We're casting the CDROM layer request_sense to the SCSI sense > buffer, but the former is 64 bytes and the latter is 96 bytes. > As we generally allocate these on the stack, we end up blowing > up the stack. > > Fix this by wrapping the scsi_execute() call with a properly > sized sense buffer, and copying back the bits for the CDROM > layer. > > Cc: stable@vger.kernel.org > Reported-by: Piotr Gabriel Kosinski <pg.kosinski@gmail.com> > Reported-by: Daniel Shapira <daniel@twistlock.com> > Tested-by: Kees Cook <keescook@chromium.org> > Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") > Signed-off-by: Jens Axboe <axboe@kernel.dk> > > CVE-2018-11506 > (cherry picked from commit f7068114d45ec55996b9040e98111afa56e010fe) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/scsi/sr_ioctl.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c > index 2a21f2d48592..35fab1e18adc 100644 > --- a/drivers/scsi/sr_ioctl.c > +++ b/drivers/scsi/sr_ioctl.c > @@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc) > struct scsi_device *SDev; > struct scsi_sense_hdr sshdr; > int result, err = 0, retries = 0; > + unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL; > > SDev = cd->device; > > + if (cgc->sense) > + senseptr = sense_buffer; > + > retry: > if (!scsi_block_when_processing_errors(SDev)) { > err = -ENODEV; > @@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc) > } > > result = scsi_execute(SDev, cgc->cmd, cgc->data_direction, > - cgc->buffer, cgc->buflen, > - (unsigned char *)cgc->sense, &sshdr, > + cgc->buffer, cgc->buflen, senseptr, &sshdr, > cgc->timeout, IOCTL_RETRIES, 0, 0, NULL); > > + if (cgc->sense) > + memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense)); > + > /* Minimal error checking. Ignore cases we know about, and report the rest. */ > if (driver_byte(result) != 0) { > switch (sshdr.sense_key) { > Looks sane to me, clean cherry pick... Acked-by: Colin Ian King <colin.king@canonical.com>
On 20.07.2018 18:46, Kleber Sacilotto de Souza wrote: > From: Jens Axboe <axboe@kernel.dk> > > We're casting the CDROM layer request_sense to the SCSI sense > buffer, but the former is 64 bytes and the latter is 96 bytes. > As we generally allocate these on the stack, we end up blowing > up the stack. > > Fix this by wrapping the scsi_execute() call with a properly > sized sense buffer, and copying back the bits for the CDROM > layer. > > Cc: stable@vger.kernel.org > Reported-by: Piotr Gabriel Kosinski <pg.kosinski@gmail.com> > Reported-by: Daniel Shapira <daniel@twistlock.com> > Tested-by: Kees Cook <keescook@chromium.org> > Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") > Signed-off-by: Jens Axboe <axboe@kernel.dk> > > CVE-2018-11506 > (cherry picked from commit f7068114d45ec55996b9040e98111afa56e010fe) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/scsi/sr_ioctl.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c > index 2a21f2d48592..35fab1e18adc 100644 > --- a/drivers/scsi/sr_ioctl.c > +++ b/drivers/scsi/sr_ioctl.c > @@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc) > struct scsi_device *SDev; > struct scsi_sense_hdr sshdr; > int result, err = 0, retries = 0; > + unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL; > > SDev = cd->device; > > + if (cgc->sense) > + senseptr = sense_buffer; > + > retry: > if (!scsi_block_when_processing_errors(SDev)) { > err = -ENODEV; > @@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc) > } > > result = scsi_execute(SDev, cgc->cmd, cgc->data_direction, > - cgc->buffer, cgc->buflen, > - (unsigned char *)cgc->sense, &sshdr, > + cgc->buffer, cgc->buflen, senseptr, &sshdr, > cgc->timeout, IOCTL_RETRIES, 0, 0, NULL); > > + if (cgc->sense) > + memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense)); > + > /* Minimal error checking. Ignore cases we know about, and report the rest. */ > if (driver_byte(result) != 0) { > switch (sshdr.sense_key) { >
diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c index 2a21f2d48592..35fab1e18adc 100644 --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc) struct scsi_device *SDev; struct scsi_sense_hdr sshdr; int result, err = 0, retries = 0; + unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL; SDev = cd->device; + if (cgc->sense) + senseptr = sense_buffer; + retry: if (!scsi_block_when_processing_errors(SDev)) { err = -ENODEV; @@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc) } result = scsi_execute(SDev, cgc->cmd, cgc->data_direction, - cgc->buffer, cgc->buflen, - (unsigned char *)cgc->sense, &sshdr, + cgc->buffer, cgc->buflen, senseptr, &sshdr, cgc->timeout, IOCTL_RETRIES, 0, 0, NULL); + if (cgc->sense) + memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense)); + /* Minimal error checking. Ignore cases we know about, and report the rest. */ if (driver_byte(result) != 0) { switch (sshdr.sense_key) {