| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 05 Apr 2007 19:51:00 -0500 From: James Bottomley <James.Bottomley@...elEye.com> To: David Miller <davem@...emloft.net> Cc: aab@...hlid.com, linux-kernel@...r.kernel.org, linux-scsi@...r.kernel.org Subject: Re: Oops in scsi_send_eh_cmnd 2.6.21-rc5-git6,7,10,13 On Thu, 2007-04-05 at 17:15 -0700, David Miller wrote: > This won't work I believe. > > There are cases that use smaller sense buffers than the minimum > specified by the SCSI layer. > > One example is that do_sr_ioctl() stuff when the cgc passed > in has a sense buffer. That will only be as large as a > "struct request_sense". > > I'm pretty sure that's one of the reasons why we cons up a local sense > buffer in this EH code. > > So we could walk past the end of that and corrupt memory with > your patch. That should be fine ... the application copies the sense out of scmnd->sense_buffer ... it can take as much or as little as it wants (sense_buffer is actually a SCSI_SENSE_BUFFERSIZE array inside the command). There was one thing I missed, which is that the sense buffer size of the command is 252, whereas I need to set it back down to sizeof(scmnd->sense_buffer). This is another area where we "could do better" ... the request actually gives us a sense buffer, but we use our own and later copy data out of it back into the request. James - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists