lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 23 Dec 2016 19:45:45 -0700
From:   Jens Axboe <>
To:     Linus Torvalds <>,
        Christoph Hellwig <>
CC:     Chris Leech <>, Ming Lei <>,
        "Dave Chinner" <>,
        Johannes Weiner <>,
        "Linux Kernel Mailing List" <>,
        Lee Duncan <>, <>,
        Linux SCSI List <>,
        linux-block <>,
        "Michael S. Tsirkin" <>
Subject: Re: [4.10, panic, regression] iscsi: null pointer deref at

On 12/23/2016 12:42 PM, Linus Torvalds wrote:
> On Fri, Dec 23, 2016 at 2:00 AM, Christoph Hellwig <> wrote:
>> From: Christoph Hellwig <>
>> Date: Fri, 23 Dec 2016 10:57:06 +0100
>> Subject: virtio_blk: avoid DMA to stack for the sense buffer
>> Most users of BLOCK_PC requests allocate the sense buffer on the stack,
>> so to avoid DMA to the stack copy them to a field in the heap allocated
>> virtblk_req structure.  Without that any attempt at SCSI passthrough I/O,
>> including the SG_IO ioctl from userspace will crash the kernel.  Note that
>> this includes running tools like hdparm even when the host does not have
>> SCSI passthrough enabled.
> Ugh. This patch is nasty.
> I think we should just fix blk_execute_rq() instead.
> But from a quick look, we also have at least sg_scsi_ioctl() and
> sg_io() doing the same thing.
> And the SG_IO thing in bsg_ioctl(). And spi_execute() in scsi_transport_spi.c
> And resp_requests() in scsi_debug.c.

It's not that it's technically hard to fix up, it's more that it's a
pain in the ass to have to do it. For instance, for blk_execute_rq(), we
either should enforce that the caller allocates it dynamically and then
free it, or we need nasty hack where the caller needs to know he has to
free it. Pretty obvious what I would prefer there.

And yes, there would be a good chunk of other places where this would
nede to be fixed up...

> So I guess ugly it may need to be, and the rule is that the sense
> buffer really can be on the stack and you can't DMA to/from it.
> Comments from others?

I'm just wondering why this is being hit now, we have a 4.9 release with
this issue and nobody reported it (that I saw)... Which is pretty sad.

If no one beats me to it, I'll try and get a patch done on Sunday. We're
in the midst of the holidays here.

Jens Axboe

Powered by blists - more mailing lists