lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <yq1r1huw3xu.fsf@ca-mkp.ca.oracle.com>
Date:   Wed, 26 May 2021 00:04:46 -0400
From:   "Martin K. Petersen" <martin.petersen@...cle.com>
To:     Phillip Potter <phil@...lpotter.co.uk>
Cc:     "Martin K. Petersen" <martin.petersen@...cle.com>,
        jejb@...ux.ibm.com, linux-scsi@...r.kernel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] scsi: sd: skip checks when media is present if
 sd_read_capacity reports zero


Phillip,

> It occurred to me that a capacity of zero for a media which is present
> would make the following function calls/checks invalid, hence the
> motivation for my patch, as skipping all those checks with such a size
> prevents this bug.

Yes and no. In theory most of these are orthogonal to what the reported
capacity is. But obviously the values reported are not terribly useful
if capacity is zero.

> Another thing I noticed was that (unless I'm reading this wrong which
> is certainly possible) the buffer is never fully memset. It is
> allocated to be 512 bytes in size (as SD_BUF_SIZE) and yet
> sd_do_mode_sense/scsi_mode_sense is never called with a len param of
> this size but in fact much lower.

Correct. To avoid a bazillion different allocations in the device
discovery path we allocate one buffer that the various functions then
take turns using. With suitable lengths passed in based on what the
protocol defines. I don't know if KMSAN is smart enough to handle that
scenario?

If it is then there must be a real problem lurking somewhere in the
discovery path. I would prefer to track that down (as opposed to masking
the problem by exiting early if capacity is zero).

-- 
Martin K. Petersen	Oracle Linux Engineering

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ