lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <095a2264120ad51d0500c4ce8221be2f88a9537e.camel@suse.com>
Date:   Thu, 11 May 2023 15:10:47 +0200
From:   Martin Wilck <mwilck@...e.com>
To:     Juergen Gross <jgross@...e.com>, linux-kernel@...r.kernel.org,
        linux-scsi@...r.kernel.org
Cc:     "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        stable@...r.kernel.org
Subject: Re: [PATCH] scsi: Let scsi_execute_cmd() mark args->sshdr as invalid

On Thu, 2023-05-11 at 14:34 +0200, Juergen Gross wrote:
> Some callers of scsi_execute_cmd() (like e.g. sd_spinup_disk()) are
> passing an uninitialized struct sshdr and don't look at the return
> value of scsi_execute_cmd() before looking at the contents of that
> struct.
> 
> This can result in false positives when looking for specific error
> conditions.
> 
> In order to fix that let scsi_execute_cmd() zero sshdr-
> >response_code,
> resulting in scsi_sense_valid() returning false.
> 
> Cc: stable@...r.kernel.org
> Fixes: 3949e2f04262 ("scsi: simplify scsi_execute_req_flags")
> Signed-off-by: Juergen Gross <jgross@...e.com>
> ---
> I'm not aware of any real error having happened due to this problem,
> but I thought it should be fixed anyway.
> I _think_ 3949e2f04262 was introducing the problem, but I'm not 100%
> sure it is really the commit to be blamed.
> ---
>  drivers/scsi/scsi_lib.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)

One nitpick below, otherwise it looks good to me.

> 
> diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
> index b7c569a42aa4..923336620bff 100644
> --- a/drivers/scsi/scsi_lib.c
> +++ b/drivers/scsi/scsi_lib.c
> @@ -209,11 +209,17 @@ int scsi_execute_cmd(struct scsi_device *sdev,
> const unsigned char *cmd,
>         struct scsi_cmnd *scmd;
>         int ret;
>  
> -       if (!args)
> +       if (!args) {
>                 args = &default_args;
> -       else if (WARN_ON_ONCE(args->sense &&
> -                             args->sense_len !=
> SCSI_SENSE_BUFFERSIZE))
> -               return -EINVAL;
> +       } else {
> +               /* Mark sense data to be invalid. */
> +               if (args->sshdr)
> +                       args->sshdr->response_code = 0;

We know for certain that sizeof(*sshdr) is 8 bytes, and will most
probably remain so. Thus 

    memset(sshdr, 0, sizeof(*sshdr))

would result in more efficient code.

Martin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ