Re: [PATCH] block: Allocate a sense buffer before executing an SG_IO ioctl

Wed, 23 Jan 2019 16:04:49 -0800 

On Wed, 2019-01-23 at 11:06 -0800, Bart Van Assche wrote:
> Some time ago blk_execute_rq() was modified such that it no longer
> allocates a sense buffer. Make sg_io() allocate and use a sense buffer.
> This patch avoids that the following bug is triggered when running the
> libiscsi tests against the scsi_debug driver:
> 
> usercopy: Kernel memory exposure attempt detected from null address (offset 
> 0, size 18)!
> ------------[ cut here ]------------
> kernel BUG at mm/usercopy.c:102!
> CPU: 5 PID: 693 Comm: iscsi-test-cu Not tainted 5.0.0-rc3-dbg+ #3
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 
> 04/01/2014
> RIP: 0010:usercopy_abort+0x7a/0x7c
> Call Trace:
>  __check_object_size.cold.1+0x37/0x3d
>  sg_io+0x5a2/0x700
>  scsi_cmd_ioctl+0x4d4/0x540
>  scsi_cmd_blk_ioctl+0x7b/0x8b
>  sd_ioctl+0xba/0x150
>  blkdev_ioctl+0x6e1/0xea0
>  block_ioctl+0x79/0x90
>  do_vfs_ioctl+0x12b/0x9b0
>  ksys_ioctl+0x41/0x80
>  __x64_sys_ioctl+0x43/0x50
>  do_syscall_64+0x71/0x210
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> Cc: Christoph Hellwig <[email protected]>
> Cc: Martin K. Petersen <[email protected]>
> Cc: Douglas Gilbert <[email protected]>
> Cc: <[email protected]> # v4.11+
> Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
> Signed-off-by: Bart Van Assche <[email protected]>
> ---
>  block/scsi_ioctl.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
> index 533f4aee8567..066929ec0d61 100644
> --- a/block/scsi_ioctl.c
> +++ b/block/scsi_ioctl.c
> @@ -299,6 +299,7 @@ static int sg_io(struct request_queue *q, struct gendisk 
> *bd_disk,
>       struct request *rq;
>       struct scsi_request *req;
>       struct bio *bio;
> +     u8 sense[SCSI_SENSE_BUFFERSIZE];
>  
>       if (hdr->interface_id != 'S')
>               return -EINVAL;
> @@ -361,6 +362,7 @@ static int sg_io(struct request_queue *q, struct gendisk 
> *bd_disk,
>  
>       bio = rq->bio;
>       req->retries = 0;
> +     req->sense = sense;
>  
>       start_time = jiffies;

Please ignore this patch - I just realized that this is not the right way to
fix the reported issue.

Bart.

Reply via email to