62 lines
2.1 KiB
Diff
62 lines
2.1 KiB
Diff
From: Jens Axboe <axboe@kernel.dk>
|
|
Date: Mon, 21 May 2018 12:21:14 -0600
|
|
Subject: sr: pass down correctly sized SCSI sense buffer
|
|
Origin: https://git.kernel.org/linus/f7068114d45ec55996b9040e98111afa56e010fe
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11506
|
|
|
|
We're casting the CDROM layer request_sense to the SCSI sense
|
|
buffer, but the former is 64 bytes and the latter is 96 bytes.
|
|
As we generally allocate these on the stack, we end up blowing
|
|
up the stack.
|
|
|
|
Fix this by wrapping the scsi_execute() call with a properly
|
|
sized sense buffer, and copying back the bits for the CDROM
|
|
layer.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Reported-by: Piotr Gabriel Kosinski <pg.kosinski@gmail.com>
|
|
Reported-by: Daniel Shapira <daniel@twistlock.com>
|
|
Tested-by: Kees Cook <keescook@chromium.org>
|
|
Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
|
|
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
|
---
|
|
drivers/scsi/sr_ioctl.c | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
|
|
index 2a21f2d48592..35fab1e18adc 100644
|
|
--- a/drivers/scsi/sr_ioctl.c
|
|
+++ b/drivers/scsi/sr_ioctl.c
|
|
@@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
|
|
struct scsi_device *SDev;
|
|
struct scsi_sense_hdr sshdr;
|
|
int result, err = 0, retries = 0;
|
|
+ unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL;
|
|
|
|
SDev = cd->device;
|
|
|
|
+ if (cgc->sense)
|
|
+ senseptr = sense_buffer;
|
|
+
|
|
retry:
|
|
if (!scsi_block_when_processing_errors(SDev)) {
|
|
err = -ENODEV;
|
|
@@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
|
|
}
|
|
|
|
result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
|
|
- cgc->buffer, cgc->buflen,
|
|
- (unsigned char *)cgc->sense, &sshdr,
|
|
+ cgc->buffer, cgc->buflen, senseptr, &sshdr,
|
|
cgc->timeout, IOCTL_RETRIES, 0, 0, NULL);
|
|
|
|
+ if (cgc->sense)
|
|
+ memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
|
|
+
|
|
/* Minimal error checking. Ignore cases we know about, and report the rest. */
|
|
if (driver_byte(result) != 0) {
|
|
switch (sshdr.sense_key) {
|
|
--
|
|
2.11.0
|
|
|