From: Finn Thain <fthain@telegraphics.com.au>
To: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Hannes Reinecke <hare@suse.de>, zhengbin <zhengbin13@huawei.com>,
bvanassche@acm.org, jejb@linux.ibm.com,
linux-scsi@vger.kernel.org, yi.zhang@huawei.com,
yanaijie@huawei.com, Johannes Thumshirn <jthumshirn@suse.de>
Subject: [RFC] scsi: Avoid sign extension when setting command result bytes, was Re: [PATCH v5 00/13] scsi: core: fix uninit-value access of variable sshdr
Date: Sat, 19 Oct 2019 10:17:09 +1100 (AEDT) [thread overview]
Message-ID: <alpine.LNX.2.21.1910191007480.12@nippy.intranet> (raw)
In-Reply-To: <yq1lftii2yi.fsf@oracle.com>
On Fri, 18 Oct 2019, Martin K. Petersen wrote:
>
> (Sorry, zhengbin, you opened a can of worms. This is some of our oldest
> and most arcane code in SCSI)
>
A call to set_host_byte(cmd, x) or set_msg_byte(cmd, x) when x & 0x80 is
set clobbers the most significant bytes in cmd->result.
Avoid this implicit sign extension when shifting bits by using an
unsigned formal parameter.
This is a theoretical bug, found by inspection, so I'm sending an untested
RFC patch.
I didn't try to find possible callers that might pass a negative parameter
and neither did I check whether the clobber might be intentional...
diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
index 76ed5e4acd38..ae814fa68bb8 100644
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -306,17 +306,17 @@ static inline struct scsi_data_buffer *scsi_prot(struct scsi_cmnd *cmd)
#define scsi_for_each_prot_sg(cmd, sg, nseg, __i) \
for_each_sg(scsi_prot_sglist(cmd), sg, nseg, __i)
-static inline void set_msg_byte(struct scsi_cmnd *cmd, char status)
+static inline void set_msg_byte(struct scsi_cmnd *cmd, unsigned char status)
{
cmd->result = (cmd->result & 0xffff00ff) | (status << 8);
}
-static inline void set_host_byte(struct scsi_cmnd *cmd, char status)
+static inline void set_host_byte(struct scsi_cmnd *cmd, unsigned char status)
{
cmd->result = (cmd->result & 0xff00ffff) | (status << 16);
}
-static inline void set_driver_byte(struct scsi_cmnd *cmd, char status)
+static inline void set_driver_byte(struct scsi_cmnd *cmd, unsigned char status)
{
cmd->result = (cmd->result & 0x00ffffff) | (status << 24);
}
next prev parent reply other threads:[~2019-10-18 23:17 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-18 8:24 [PATCH v5 00/13] scsi: core: fix uninit-value access of variable sshdr zhengbin
2019-10-18 8:24 ` [PATCH v5 01/13] scsi: core: need to check the result of scsi_execute in scsi_report_opcode zhengbin
2019-10-18 8:24 ` [PATCH v5 02/13] scsi: core: need to check the result of scsi_execute in scsi_test_unit_ready zhengbin
2019-10-18 8:24 ` [PATCH v5 03/13] scsi: core: need to check the result of scsi_execute in scsi_report_lun_scan zhengbin
2019-10-18 8:24 ` [PATCH v5 04/13] scsi: sr: need to check the result of scsi_execute in sr_get_events zhengbin
2019-10-18 8:24 ` [PATCH v5 05/13] scsi: sr: need to check the result of scsi_execute in sr_do_ioctl zhengbin
2019-10-18 8:24 ` [PATCH v5 06/13] scsi: scsi_dh_emc: need to check the result of scsi_execute in send_trespass_cmd zhengbin
2019-10-18 8:24 ` [PATCH v5 07/13] scsi: scsi_dh_rdac: need to check the result of scsi_execute in send_mode_select zhengbin
2019-10-18 8:24 ` [PATCH v5 08/13] scsi: scsi_dh_hp_sw: need to check the result of scsi_execute in hp_sw_tur,hp_sw_start_stop zhengbin
2019-10-21 9:08 ` kbuild test robot
2019-10-21 9:08 ` [PATCH v5 08/13] scsi: scsi_dh_hp_sw: need to check the result of scsi_execute in hp_sw_tur, hp_sw_start_stop kbuild test robot
2019-10-18 8:24 ` [PATCH v5 09/13] scsi: scsi_dh_alua: need to check the result of scsi_execute in alua_rtpg,alua_stpg zhengbin
2019-10-18 8:24 ` [PATCH v5 10/13] scsi: scsi_transport_spi: need to check whether sshdr is valid in spi_execute zhengbin
2019-10-18 8:24 ` [PATCH v5 11/13] scsi: cxlflash: need to check whether sshdr is valid in read_cap16 zhengbin
2019-10-18 8:24 ` [PATCH v5 12/13] scsi: ufs: need to check whether sshdr is valid in ufshcd_set_dev_pwr_mode zhengbin
2019-10-18 8:24 ` [PATCH v5 13/13] scsi: ch: need to check whether sshdr is valid in ch_do_scsi zhengbin
2019-10-18 9:41 ` [PATCH v5 00/13] scsi: core: fix uninit-value access of variable sshdr Hannes Reinecke
2019-10-18 13:43 ` Martin K. Petersen
2019-10-18 14:05 ` Hannes Reinecke
2019-10-18 23:17 ` Finn Thain [this message]
2019-10-21 1:49 ` zhengbin (A)
2019-10-21 13:06 ` Hannes Reinecke
2019-10-22 1:59 ` zhengbin (A)
2019-10-23 6:51 ` zhengbin (A)
2019-10-21 6:57 ` Johannes Thumshirn
2019-10-18 12:33 ` Damien Le Moal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LNX.2.21.1910191007480.12@nippy.intranet \
--to=fthain@telegraphics.com.au \
--cc=bvanassche@acm.org \
--cc=hare@suse.de \
--cc=jejb@linux.ibm.com \
--cc=jthumshirn@suse.de \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=yanaijie@huawei.com \
--cc=yi.zhang@huawei.com \
--cc=zhengbin13@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.