ACK: [SRU][Bionic][PATCH 1/1] sr: pass down correctly sized SCSI sense buffer
Stefan Bader
stefan.bader at canonical.com
Mon Jul 23 12:54:33 UTC 2018
On 20.07.2018 18:46, Kleber Sacilotto de Souza wrote:
> From: Jens Axboe <axboe at kernel.dk>
>
> We're casting the CDROM layer request_sense to the SCSI sense
> buffer, but the former is 64 bytes and the latter is 96 bytes.
> As we generally allocate these on the stack, we end up blowing
> up the stack.
>
> Fix this by wrapping the scsi_execute() call with a properly
> sized sense buffer, and copying back the bits for the CDROM
> layer.
>
> Cc: stable at vger.kernel.org
> Reported-by: Piotr Gabriel Kosinski <pg.kosinski at gmail.com>
> Reported-by: Daniel Shapira <daniel at twistlock.com>
> Tested-by: Kees Cook <keescook at chromium.org>
> Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
> Signed-off-by: Jens Axboe <axboe at kernel.dk>
>
> CVE-2018-11506
> (cherry picked from commit f7068114d45ec55996b9040e98111afa56e010fe)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> drivers/scsi/sr_ioctl.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
> index 2a21f2d48592..35fab1e18adc 100644
> --- a/drivers/scsi/sr_ioctl.c
> +++ b/drivers/scsi/sr_ioctl.c
> @@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
> struct scsi_device *SDev;
> struct scsi_sense_hdr sshdr;
> int result, err = 0, retries = 0;
> + unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL;
>
> SDev = cd->device;
>
> + if (cgc->sense)
> + senseptr = sense_buffer;
> +
> retry:
> if (!scsi_block_when_processing_errors(SDev)) {
> err = -ENODEV;
> @@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
> }
>
> result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
> - cgc->buffer, cgc->buflen,
> - (unsigned char *)cgc->sense, &sshdr,
> + cgc->buffer, cgc->buflen, senseptr, &sshdr,
> cgc->timeout, IOCTL_RETRIES, 0, 0, NULL);
>
> + if (cgc->sense)
> + memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
> +
> /* Minimal error checking. Ignore cases we know about, and report the rest. */
> if (driver_byte(result) != 0) {
> switch (sshdr.sense_key) {
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180723/42dbd12e/attachment.sig>
More information about the kernel-team
mailing list