| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 4 Sep 2021 14:45:34 +0800
From: Laibin Qiu <qiulaibin@...wei.com>
To: <jejb@...ux.ibm.com>, <martin.petersen@...cle.com>, <hare@...e.de>
CC: <linux-scsi@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<qiulaibin@...wei.com>
Subject: [PATCH -next] [SCSI] Fix NULL pointer dereference in handling for passthrough commands
In passthrough path. If the command size for ioctl request from userspace
is 0. The original process will get cmd_len from cmd->cmnd, but It has
not been assigned at this time. So it will trigger a NULL pointer BUG.
------------[ cut here ]------------
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor read access in kernel mode
PF: error_code(0x0000) - not-present page
RIP: 0010:scsi_queue_rq+0xcb2/0x12b0
Call Trace:
blk_mq_dispatch_rq_list+0x541/0xe90
__blk_mq_sched_dispatch_requests+0x1fe/0x2b0
blk_mq_sched_dispatch_requests+0xbf/0x130
__blk_mq_run_hw_queue+0x15b/0x230
__blk_mq_delay_run_hw_queue+0x18f/0x320
blk_mq_run_hw_queue+0x252/0x280
blk_mq_sched_insert_request+0x228/0x260
blk_execute_rq+0x111/0x160
sg_io+0x51a/0x740
scsi_cmd_ioctl+0x533/0x910
scsi_cmd_blk_ioctl+0xa1/0xb0
cdrom_ioctl+0x3f/0x2510
sr_block_ioctl+0x142/0x180
blkdev_ioctl+0x398/0x450
block_ioctl+0x6d/0x80
__se_sys_ioctl+0xd1/0x140
__x64_sys_ioctl+0x3f/0x50
do_syscall_64+0x37/0x50
entry_SYSCALL_64_after_hwframe+0x44/0xa9
We can trigger front BUG by ioctl blow.
------------[ cut here ]------------
sg_io_hdr_t *addr;
addr = malloc(sizeof(sg_io_hdr_t));
memset(addr, 0, sizeof(sg_io_hdr_t));
addr->interface_id = 'S';
fd = open(/dev/sr0, O_RDONLY); // open a CD_ROM dev
ioctl(fd, SG_IO, addr); // all zero sg_io_hdr_t will trigger this bug
Fixes: 2ceda20f0a99a ("scsi: core: Move command size detection out of
the fast path")
Signed-off-by: Laibin Qiu <qiulaibin@...wei.com>
---
drivers/scsi/scsi_lib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 572673873ddf..53b47a9103d3 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1174,9 +1174,9 @@ static blk_status_t scsi_setup_scsi_cmnd(struct scsi_device *sdev,
}
cmd->cmd_len = scsi_req(req)->cmd_len;
+ cmd->cmnd = scsi_req(req)->cmd;
if (cmd->cmd_len == 0)
cmd->cmd_len = scsi_command_size(cmd->cmnd);
- cmd->cmnd = scsi_req(req)->cmd;
cmd->transfersize = blk_rq_bytes(req);
cmd->allowed = scsi_req(req)->retries;
return BLK_STS_OK;
--
2.22.0
Powered by blists - more mailing lists