* [PATCH] scsi: stex: properly zero out the passthrough command structure
@ 2022-09-08 14:51 Greg Kroah-Hartman
2022-09-09 6:54 ` [PATCH v2] " Greg Kroah-Hartman
0 siblings, 1 reply; 5+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-08 14:51 UTC (permalink / raw)
To: jejb, martin.petersen
Cc: linux-scsi, Greg Kroah-Hartman, hdthky, stable, Dan Carpenter
The passthrough structure is declared off of the stack, so it needs to
be zeroed out before copied back to userspace to prevent any
unintentional data leakage.
Reported-by: hdthky <hdthky0@gmail.com>
Cc: stable <stable@kernel.org>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/stex.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/stex.c b/drivers/scsi/stex.c
index e6420f2127ce..fc5880a35723 100644
--- a/drivers/scsi/stex.c
+++ b/drivers/scsi/stex.c
@@ -668,6 +668,7 @@ static int stex_queuecommand_lck(struct scsi_cmnd *cmd)
struct st_drvver ver;
size_t cp_len = sizeof(ver);
+ memset(&ver, 0x00, sizeof(ver));
ver.major = ST_VER_MAJOR;
ver.minor = ST_VER_MINOR;
ver.oem = ST_OEM;
--
2.37.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v2] scsi: stex: properly zero out the passthrough command structure
2022-09-08 14:51 [PATCH] scsi: stex: properly zero out the passthrough command structure Greg Kroah-Hartman
@ 2022-09-09 6:54 ` Greg Kroah-Hartman
2022-09-09 16:24 ` Bart Van Assche
0 siblings, 1 reply; 5+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-09 6:54 UTC (permalink / raw)
To: jejb, martin.petersen, Linus Torvalds
Cc: linux-scsi, hdthky, stable, Dan Carpenter
From: Linus Torvalds <torvalds@linux-foundation.org>
The passthrough structure is declared off of the stack, so it needs to
be set to zero before copied back to userspace to prevent any
unintentional data leakage. Switch things to be statically allocated
which will fill the unused fields with 0 automatically.
Reported-by: hdthky <hdthky0@gmail.com>
Cc: stable <stable@kernel.org>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
v2: Linus's updated version that moves the initialization to be
statically defined and changes the function prototype and structure
to be const.
drivers/scsi/stex.c | 17 +++++++++--------
include/scsi/scsi_cmnd.h | 2 +-
2 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/drivers/scsi/stex.c b/drivers/scsi/stex.c
index e6420f2127ce..8def242675ef 100644
--- a/drivers/scsi/stex.c
+++ b/drivers/scsi/stex.c
@@ -665,16 +665,17 @@ static int stex_queuecommand_lck(struct scsi_cmnd *cmd)
return 0;
case PASSTHRU_CMD:
if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {
- struct st_drvver ver;
+ const struct st_drvver ver = {
+ .major = ST_VER_MAJOR,
+ .minor = ST_VER_MINOR,
+ .oem = ST_OEM,
+ .build = ST_BUILD_VER,
+ .signature[0] = PASSTHRU_SIGNATURE,
+ .console_id = host->max_id - 1,
+ .host_no = hba->host->host_no,
+ };
size_t cp_len = sizeof(ver);
- ver.major = ST_VER_MAJOR;
- ver.minor = ST_VER_MINOR;
- ver.oem = ST_OEM;
- ver.build = ST_BUILD_VER;
- ver.signature[0] = PASSTHRU_SIGNATURE;
- ver.console_id = host->max_id - 1;
- ver.host_no = hba->host->host_no;
cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);
if (sizeof(ver) == cp_len)
cmd->result = DID_OK << 16;
diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
index bac55decf900..7d3622db38ed 100644
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -201,7 +201,7 @@ static inline unsigned int scsi_get_resid(struct scsi_cmnd *cmd)
for_each_sg(scsi_sglist(cmd), sg, nseg, __i)
static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd,
- void *buf, int buflen)
+ const void *buf, int buflen)
{
return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),
buf, buflen);
--
2.37.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] scsi: stex: properly zero out the passthrough command structure
2022-09-09 6:54 ` [PATCH v2] " Greg Kroah-Hartman
@ 2022-09-09 16:24 ` Bart Van Assche
2022-09-26 15:54 ` Lee Duncan
0 siblings, 1 reply; 5+ messages in thread
From: Bart Van Assche @ 2022-09-09 16:24 UTC (permalink / raw)
To: Greg Kroah-Hartman, jejb, martin.petersen, Linus Torvalds
Cc: linux-scsi, hdthky, stable, Dan Carpenter
On 9/8/22 23:54, Greg Kroah-Hartman wrote:
> From: Linus Torvalds <torvalds@linux-foundation.org>
>
> The passthrough structure is declared off of the stack, so it needs to
> be set to zero before copied back to userspace to prevent any
> unintentional data leakage. Switch things to be statically allocated
> which will fill the unused fields with 0 automatically.
>
> Reported-by: hdthky <hdthky0@gmail.com>
> Cc: stable <stable@kernel.org>
> Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
> Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> v2: Linus's updated version that moves the initialization to be
> statically defined and changes the function prototype and structure
> to be const.
>
> drivers/scsi/stex.c | 17 +++++++++--------
> include/scsi/scsi_cmnd.h | 2 +-
> 2 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/scsi/stex.c b/drivers/scsi/stex.c
> index e6420f2127ce..8def242675ef 100644
> --- a/drivers/scsi/stex.c
> +++ b/drivers/scsi/stex.c
> @@ -665,16 +665,17 @@ static int stex_queuecommand_lck(struct scsi_cmnd *cmd)
> return 0;
> case PASSTHRU_CMD:
> if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {
> - struct st_drvver ver;
> + const struct st_drvver ver = {
> + .major = ST_VER_MAJOR,
> + .minor = ST_VER_MINOR,
> + .oem = ST_OEM,
> + .build = ST_BUILD_VER,
> + .signature[0] = PASSTHRU_SIGNATURE,
> + .console_id = host->max_id - 1,
> + .host_no = hba->host->host_no,
> + };
> size_t cp_len = sizeof(ver);
>
> - ver.major = ST_VER_MAJOR;
> - ver.minor = ST_VER_MINOR;
> - ver.oem = ST_OEM;
> - ver.build = ST_BUILD_VER;
> - ver.signature[0] = PASSTHRU_SIGNATURE;
> - ver.console_id = host->max_id - 1;
> - ver.host_no = hba->host->host_no;
> cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);
> if (sizeof(ver) == cp_len)
> cmd->result = DID_OK << 16;
> diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
> index bac55decf900..7d3622db38ed 100644
> --- a/include/scsi/scsi_cmnd.h
> +++ b/include/scsi/scsi_cmnd.h
> @@ -201,7 +201,7 @@ static inline unsigned int scsi_get_resid(struct scsi_cmnd *cmd)
> for_each_sg(scsi_sglist(cmd), sg, nseg, __i)
>
> static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd,
> - void *buf, int buflen)
> + const void *buf, int buflen)
> {
> return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),
> buf, buflen);
Please split this patch into one patch for the SCSI core and another patch
for the STEX driver.
Thanks,
Bart.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] scsi: stex: properly zero out the passthrough command structure
2022-09-09 16:24 ` Bart Van Assche
@ 2022-09-26 15:54 ` Lee Duncan
2022-09-26 16:17 ` Greg Kroah-Hartman
0 siblings, 1 reply; 5+ messages in thread
From: Lee Duncan @ 2022-09-26 15:54 UTC (permalink / raw)
To: Bart Van Assche, Greg Kroah-Hartman, jejb, martin.petersen,
Linus Torvalds
Cc: linux-scsi, hdthky, stable, Dan Carpenter
On 9/9/22 09:24, Bart Van Assche wrote:
> On 9/8/22 23:54, Greg Kroah-Hartman wrote:
>> From: Linus Torvalds <torvalds@linux-foundation.org>
>>
>> The passthrough structure is declared off of the stack, so it needs to
>> be set to zero before copied back to userspace to prevent any
>> unintentional data leakage. Switch things to be statically allocated
>> which will fill the unused fields with 0 automatically.
>>
>> Reported-by: hdthky <hdthky0@gmail.com>
>> Cc: stable <stable@kernel.org>
>> Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
>> Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
>> Cc: Dan Carpenter <dan.carpenter@oracle.com>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ---
>> v2: Linus's updated version that moves the initialization to be
>> statically defined and changes the function prototype and structure
>> to be const.
>>
>> drivers/scsi/stex.c | 17 +++++++++--------
>> include/scsi/scsi_cmnd.h | 2 +-
>> 2 files changed, 10 insertions(+), 9 deletions(-)
>>
>> diff --git a/drivers/scsi/stex.c b/drivers/scsi/stex.c
>> index e6420f2127ce..8def242675ef 100644
>> --- a/drivers/scsi/stex.c
>> +++ b/drivers/scsi/stex.c
>> @@ -665,16 +665,17 @@ static int stex_queuecommand_lck(struct
>> scsi_cmnd *cmd)
>> return 0;
>> case PASSTHRU_CMD:
>> if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {
>> - struct st_drvver ver;
>> + const struct st_drvver ver = {
>> + .major = ST_VER_MAJOR,
>> + .minor = ST_VER_MINOR,
>> + .oem = ST_OEM,
>> + .build = ST_BUILD_VER,
>> + .signature[0] = PASSTHRU_SIGNATURE,
>> + .console_id = host->max_id - 1,
>> + .host_no = hba->host->host_no,
>> + };
>> size_t cp_len = sizeof(ver);
>> - ver.major = ST_VER_MAJOR;
>> - ver.minor = ST_VER_MINOR;
>> - ver.oem = ST_OEM;
>> - ver.build = ST_BUILD_VER;
>> - ver.signature[0] = PASSTHRU_SIGNATURE;
>> - ver.console_id = host->max_id - 1;
>> - ver.host_no = hba->host->host_no;
>> cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);
>> if (sizeof(ver) == cp_len)
>> cmd->result = DID_OK << 16;
>> diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
>> index bac55decf900..7d3622db38ed 100644
>> --- a/include/scsi/scsi_cmnd.h
>> +++ b/include/scsi/scsi_cmnd.h
>> @@ -201,7 +201,7 @@ static inline unsigned int scsi_get_resid(struct
>> scsi_cmnd *cmd)
>> for_each_sg(scsi_sglist(cmd), sg, nseg, __i)
>> static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd,
>> - void *buf, int buflen)
>> + const void *buf, int buflen)
>> {
>> return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),
>> buf, buflen);
>
> Please split this patch into one patch for the SCSI core and another patch
> for the STEX driver.
>
> Thanks,
>
> Bart.
Ping? Is this patch going to stand as is, or are we going to get a V3
that addresses Bart's request?
I'd like to know so I can backport the proper patch(es) to address this
issue.
--
Lee Duncan
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] scsi: stex: properly zero out the passthrough command structure
2022-09-26 15:54 ` Lee Duncan
@ 2022-09-26 16:17 ` Greg Kroah-Hartman
0 siblings, 0 replies; 5+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-26 16:17 UTC (permalink / raw)
To: Lee Duncan
Cc: Bart Van Assche, jejb, martin.petersen, Linus Torvalds,
linux-scsi, hdthky, stable, Dan Carpenter
On Mon, Sep 26, 2022 at 08:54:24AM -0700, Lee Duncan wrote:
> On 9/9/22 09:24, Bart Van Assche wrote:
> > On 9/8/22 23:54, Greg Kroah-Hartman wrote:
> > > From: Linus Torvalds <torvalds@linux-foundation.org>
> > >
> > > The passthrough structure is declared off of the stack, so it needs to
> > > be set to zero before copied back to userspace to prevent any
> > > unintentional data leakage. Switch things to be statically allocated
> > > which will fill the unused fields with 0 automatically.
> > >
> > > Reported-by: hdthky <hdthky0@gmail.com>
> > > Cc: stable <stable@kernel.org>
> > > Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
> > > Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
> > > Cc: Dan Carpenter <dan.carpenter@oracle.com>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > ---
> > > v2: Linus's updated version that moves the initialization to be
> > > statically defined and changes the function prototype and structure
> > > to be const.
> > >
> > > drivers/scsi/stex.c | 17 +++++++++--------
> > > include/scsi/scsi_cmnd.h | 2 +-
> > > 2 files changed, 10 insertions(+), 9 deletions(-)
> > >
> > > diff --git a/drivers/scsi/stex.c b/drivers/scsi/stex.c
> > > index e6420f2127ce..8def242675ef 100644
> > > --- a/drivers/scsi/stex.c
> > > +++ b/drivers/scsi/stex.c
> > > @@ -665,16 +665,17 @@ static int stex_queuecommand_lck(struct
> > > scsi_cmnd *cmd)
> > > return 0;
> > > case PASSTHRU_CMD:
> > > if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {
> > > - struct st_drvver ver;
> > > + const struct st_drvver ver = {
> > > + .major = ST_VER_MAJOR,
> > > + .minor = ST_VER_MINOR,
> > > + .oem = ST_OEM,
> > > + .build = ST_BUILD_VER,
> > > + .signature[0] = PASSTHRU_SIGNATURE,
> > > + .console_id = host->max_id - 1,
> > > + .host_no = hba->host->host_no,
> > > + };
> > > size_t cp_len = sizeof(ver);
> > > - ver.major = ST_VER_MAJOR;
> > > - ver.minor = ST_VER_MINOR;
> > > - ver.oem = ST_OEM;
> > > - ver.build = ST_BUILD_VER;
> > > - ver.signature[0] = PASSTHRU_SIGNATURE;
> > > - ver.console_id = host->max_id - 1;
> > > - ver.host_no = hba->host->host_no;
> > > cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);
> > > if (sizeof(ver) == cp_len)
> > > cmd->result = DID_OK << 16;
> > > diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
> > > index bac55decf900..7d3622db38ed 100644
> > > --- a/include/scsi/scsi_cmnd.h
> > > +++ b/include/scsi/scsi_cmnd.h
> > > @@ -201,7 +201,7 @@ static inline unsigned int scsi_get_resid(struct
> > > scsi_cmnd *cmd)
> > > for_each_sg(scsi_sglist(cmd), sg, nseg, __i)
> > > static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd,
> > > - void *buf, int buflen)
> > > + const void *buf, int buflen)
> > > {
> > > return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),
> > > buf, buflen);
> >
> > Please split this patch into one patch for the SCSI core and another patch
> > for the STEX driver.
> >
> > Thanks,
> >
> > Bart.
>
> Ping? Is this patch going to stand as is, or are we going to get a V3 that
> addresses Bart's request?
I'll try to do a v3 when I get a chance later this week.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-09-26 17:09 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-08 14:51 [PATCH] scsi: stex: properly zero out the passthrough command structure Greg Kroah-Hartman
2022-09-09 6:54 ` [PATCH v2] " Greg Kroah-Hartman
2022-09-09 16:24 ` Bart Van Assche
2022-09-26 15:54 ` Lee Duncan
2022-09-26 16:17 ` Greg Kroah-Hartman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.