ACK: [SRU][Bionic][PATCH 1/1] sr: pass down correctly sized SCSI sense buffer

Stefan Bader stefan.bader at canonical.com
Mon Jul 23 12:54:33 UTC 2018


On 20.07.2018 18:46, Kleber Sacilotto de Souza wrote:
> From: Jens Axboe <axboe at kernel.dk>
> 
> We're casting the CDROM layer request_sense to the SCSI sense
> buffer, but the former is 64 bytes and the latter is 96 bytes.
> As we generally allocate these on the stack, we end up blowing
> up the stack.
> 
> Fix this by wrapping the scsi_execute() call with a properly
> sized sense buffer, and copying back the bits for the CDROM
> layer.
> 
> Cc: stable at vger.kernel.org
> Reported-by: Piotr Gabriel Kosinski <pg.kosinski at gmail.com>
> Reported-by: Daniel Shapira <daniel at twistlock.com>
> Tested-by: Kees Cook <keescook at chromium.org>
> Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
> Signed-off-by: Jens Axboe <axboe at kernel.dk>
> 
> CVE-2018-11506
> (cherry picked from commit f7068114d45ec55996b9040e98111afa56e010fe)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  drivers/scsi/sr_ioctl.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
> index 2a21f2d48592..35fab1e18adc 100644
> --- a/drivers/scsi/sr_ioctl.c
> +++ b/drivers/scsi/sr_ioctl.c
> @@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
>  	struct scsi_device *SDev;
>  	struct scsi_sense_hdr sshdr;
>  	int result, err = 0, retries = 0;
> +	unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL;
>  
>  	SDev = cd->device;
>  
> +	if (cgc->sense)
> +		senseptr = sense_buffer;
> +
>        retry:
>  	if (!scsi_block_when_processing_errors(SDev)) {
>  		err = -ENODEV;
> @@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
>  	}
>  
>  	result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
> -			      cgc->buffer, cgc->buflen,
> -			      (unsigned char *)cgc->sense, &sshdr,
> +			      cgc->buffer, cgc->buflen, senseptr, &sshdr,
>  			      cgc->timeout, IOCTL_RETRIES, 0, 0, NULL);
>  
> +	if (cgc->sense)
> +		memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
> +
>  	/* Minimal error checking.  Ignore cases we know about, and report the rest. */
>  	if (driver_byte(result) != 0) {
>  		switch (sshdr.sense_key) {
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180723/42dbd12e/attachment.sig>


More information about the kernel-team mailing list