From patchwork Fri Jul 20 16:46:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 947123 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41XGxm2ptVz9sB4; Sat, 21 Jul 2018 02:46:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1fgYYG-0001AE-NT; Fri, 20 Jul 2018 16:46:44 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1fgYYE-00019U-T0 for kernel-team@lists.ubuntu.com; Fri, 20 Jul 2018 16:46:42 +0000 Received: from mail-ed1-f71.google.com ([209.85.208.71]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1fgYYE-000302-LZ for kernel-team@lists.ubuntu.com; Fri, 20 Jul 2018 16:46:42 +0000 Received: by mail-ed1-f71.google.com with SMTP id t17-v6so2562824edr.21 for ; Fri, 20 Jul 2018 09:46:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=WEtLaKpydbzR8d2eLOGgzH0z1a//zThzTAprgoRkfv4=; b=XkVBxMAs8cgQzFwwEQ6lZRH6f+J3qTmRcHn6cpMh9vsyrH4hchHCpn/+XpTv3fCxAR Cbv9uxB/3xP42FFUZstCqKScqoFvt6NdGqCLBJfFIr2i2n2f0OKbp8KzsRjF202cgPir ifbetS43MZaWh4qGzCUgrRHWtfxEkg1ejKG1auclIw4HFmEae401fOg8PTl8+pyr2lNw v5KQNW3AzbeE29Pcu6xOdhjziLNq29RYbN3hyv5snzVK2w39BWywA2bxb7jwFArpvCQ/ r+gMkjLFT+zLZ+GiALm67gaLX6TZHLt8GcDuKBbSt+VlT6OPSG7WjfYDs1OyY1wKJDnb pBIQ== X-Gm-Message-State: AOUpUlEGDmqpNZHIq4QvE0QGJ1gZhd9dfEnr3J/15jGdlZQeP+wuwfIp je30LyejOIyxUG8fQVRAF5FiPiLvOXTUcKV5mxfzKnbLSOSh1r4LuWCxsswPZUAhCii+mqSsuap TBQ4xJ0rPe+HWgMwhTLTF3StJ9DItFZ6/mg42Ce4htA== X-Received: by 2002:a50:a762:: with SMTP id h89-v6mr3401060edc.261.1532105202133; Fri, 20 Jul 2018 09:46:42 -0700 (PDT) X-Google-Smtp-Source: AAOMgpd7GlW5+dmSCs9vcxNTIUZKO5vmozpLO8HoYvDOYwvhDFvnAfammT4VLCbBTEUqfOpDThUQGw== X-Received: by 2002:a50:a762:: with SMTP id h89-v6mr3401053edc.261.1532105201999; Fri, 20 Jul 2018 09:46:41 -0700 (PDT) Received: from localhost ([2a02:8109:98c0:1604:68e3:9652:beda:f493]) by smtp.gmail.com with ESMTPSA id a5-v6sm3322872edr.1.2018.07.20.09.46.40 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 20 Jul 2018 09:46:41 -0700 (PDT) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Bionic][PATCH 1/1] sr: pass down correctly sized SCSI sense buffer Date: Fri, 20 Jul 2018 18:46:37 +0200 Message-Id: <20180720164637.21644-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180720164637.21644-1-kleber.souza@canonical.com> References: <20180720164637.21644-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jens Axboe We're casting the CDROM layer request_sense to the SCSI sense buffer, but the former is 64 bytes and the latter is 96 bytes. As we generally allocate these on the stack, we end up blowing up the stack. Fix this by wrapping the scsi_execute() call with a properly sized sense buffer, and copying back the bits for the CDROM layer. Cc: stable@vger.kernel.org Reported-by: Piotr Gabriel Kosinski Reported-by: Daniel Shapira Tested-by: Kees Cook Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Jens Axboe CVE-2018-11506 (cherry picked from commit f7068114d45ec55996b9040e98111afa56e010fe) Signed-off-by: Kleber Sacilotto de Souza Acked-by: Colin Ian King Acked-by: Stefan Bader --- drivers/scsi/sr_ioctl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c index 2a21f2d48592..35fab1e18adc 100644 --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc) struct scsi_device *SDev; struct scsi_sense_hdr sshdr; int result, err = 0, retries = 0; + unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL; SDev = cd->device; + if (cgc->sense) + senseptr = sense_buffer; + retry: if (!scsi_block_when_processing_errors(SDev)) { err = -ENODEV; @@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc) } result = scsi_execute(SDev, cgc->cmd, cgc->data_direction, - cgc->buffer, cgc->buflen, - (unsigned char *)cgc->sense, &sshdr, + cgc->buffer, cgc->buflen, senseptr, &sshdr, cgc->timeout, IOCTL_RETRIES, 0, 0, NULL); + if (cgc->sense) + memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense)); + /* Minimal error checking. Ignore cases we know about, and report the rest. */ if (driver_byte(result) != 0) { switch (sshdr.sense_key) {