| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID:
<BN7PR02MB41487C2C9BA6B963758E722AD4E52@BN7PR02MB4148.namprd02.prod.outlook.com>
Date: Sat, 18 Jan 2025 23:35:10 +0000
From: Michael Kelley <mhklinux@...look.com>
To: "longli@...uxonhyperv.com" <longli@...uxonhyperv.com>, "K. Y. Srinivasan"
<kys@...rosoft.com>, Haiyang Zhang <haiyangz@...rosoft.com>, Wei Liu
<wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>, "James E.J.
Bottomley" <James.Bottomley@...senPartnership.com>, "Martin K. Petersen"
<martin.petersen@...cle.com>, James Bottomley <JBottomley@...n.com>,
"linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
"linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: Long Li <longli@...rosoft.com>, "stable@...nel.org" <stable@...nel.org>
Subject: RE: [PATCH] scsi: storvsc: Set correct data length for sending SCSI
command without payload
From: longli@...uxonhyperv.com <longli@...uxonhyperv.com>Sent: Thursday, January 16, 2025 4:00 PM
>
> In StorVSC, payload->range.len is used to indicate if this SCSI command
> carries payload. This data is allocated as part of the private driver
> data by the upper layer and may get passed to lower driver uninitialized.
I had always thought the private driver data *is* initialized to zero by the
upper layer. Indeed, scsi_queue_rq() calls scsi_prepare_cmd(), which
zeros the private driver data as long as the driver does not specify a
custom function to do the initialization (and storvsc does not). So
I'm curious -- what's the execution path where this initialization doesn't
happen?
Michael
>
> If a SCSI command doesn't carry payload, the driver may use this value as
> is for communicating with host, resulting in possible corruption.
>
> Fix this by always initializing this value.
>
> Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information given by
> the host")
> Cc: stable@...nel.org
> Signed-off-by: Long Li <longli@...rosoft.com>
> ---
> drivers/scsi/storvsc_drv.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
> index 7ceb982040a5..ca5e5c0aeabf 100644
> --- a/drivers/scsi/storvsc_drv.c
> +++ b/drivers/scsi/storvsc_drv.c
> @@ -1789,6 +1789,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host,
> struct scsi_cmnd *scmnd)
>
> length = scsi_bufflen(scmnd);
> payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb;
> + payload->range.len = 0;
> payload_sz = 0;
>
> if (scsi_sg_count(scmnd)) {
> --
> 2.43.0
>
Powered by blists - more mailing lists