Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-20 Thread Kefeng Wang
On 2017/3/20 22:29, Martin K. Petersen wrote: > Kefeng Wang writes: > > Kefeng, > >> The issue still exists, the patch return zero in scsi_mode_sense(), but zero >> means >> SAM_STAT_GOOD in scsi_status_is_good(), so n will be still bigger than 512; > > OK, I

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-20 Thread Kefeng Wang
On 2017/3/20 22:29, Martin K. Petersen wrote: > Kefeng Wang writes: > > Kefeng, > >> The issue still exists, the patch return zero in scsi_mode_sense(), but zero >> means >> SAM_STAT_GOOD in scsi_status_is_good(), so n will be still bigger than 512; > > OK, I checked the other users of

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-20 Thread Martin K. Petersen
Kefeng Wang writes: Kefeng, > The issue still exists, the patch return zero in scsi_mode_sense(), but zero > means > SAM_STAT_GOOD in scsi_status_is_good(), so n will be still bigger than 512; OK, I checked the other users of scsi_mode_sense(). So let's keep this

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-20 Thread Martin K. Petersen
Kefeng Wang writes: Kefeng, > The issue still exists, the patch return zero in scsi_mode_sense(), but zero > means > SAM_STAT_GOOD in scsi_status_is_good(), so n will be still bigger than 512; OK, I checked the other users of scsi_mode_sense(). So let's keep this fix local to sr.c for now.

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-20 Thread Kefeng Wang
On 2017/3/18 7:29, Martin K. Petersen wrote: > Kefeng Wang writes: > > Kefeng, > >> root@localhost ~]# sg_modes -p 0x2a /dev/sr0 >> QEMU QEMU DVD-ROM 0.15 peripheral_type: cd/dvd [0x5] >> Mode parameter header from MODE SENSE(10): >> Invalid block

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-20 Thread Kefeng Wang
On 2017/3/18 7:29, Martin K. Petersen wrote: > Kefeng Wang writes: > > Kefeng, > >> root@localhost ~]# sg_modes -p 0x2a /dev/sr0 >> QEMU QEMU DVD-ROM 0.15 peripheral_type: cd/dvd [0x5] >> Mode parameter header from MODE SENSE(10): >> Invalid block descriptor length=512, ignore

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-17 Thread Martin K. Petersen
Kefeng Wang writes: Kefeng, > root@localhost ~]# sg_modes -p 0x2a /dev/sr0 > QEMU QEMU DVD-ROM 0.15 peripheral_type: cd/dvd [0x5] > Mode parameter header from MODE SENSE(10): > Invalid block descriptor length=512, ignore > Mode data length=36,

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-17 Thread Martin K. Petersen
Kefeng Wang writes: Kefeng, > root@localhost ~]# sg_modes -p 0x2a /dev/sr0 > QEMU QEMU DVD-ROM 0.15 peripheral_type: cd/dvd [0x5] > Mode parameter header from MODE SENSE(10): > Invalid block descriptor length=512, ignore > Mode data length=36, medium type=0x70, specific

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-15 Thread Kefeng Wang
On 2017/3/16 8:07, Martin K. Petersen wrote: > Kefeng Wang writes: > > Kefeng, > >> 'n = header_length + block_descriptor_length' could be greater than 512, >> and will lead to oob access, so enlarge transfer buffer to fix it. > > Can you share the output of

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-15 Thread Kefeng Wang
On 2017/3/16 8:07, Martin K. Petersen wrote: > Kefeng Wang writes: > > Kefeng, > >> 'n = header_length + block_descriptor_length' could be greater than 512, >> and will lead to oob access, so enlarge transfer buffer to fix it. > > Can you share the output of sg_modes -p 0x2a /dev/srN for the

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-15 Thread Martin K. Petersen
Kefeng Wang writes: Kefeng, > 'n = header_length + block_descriptor_length' could be greater than 512, > and will lead to oob access, so enlarge transfer buffer to fix it. Can you share the output of sg_modes -p 0x2a /dev/srN for the offending drive? This mode page

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-15 Thread Martin K. Petersen
Kefeng Wang writes: Kefeng, > 'n = header_length + block_descriptor_length' could be greater than 512, > and will lead to oob access, so enlarge transfer buffer to fix it. Can you share the output of sg_modes -p 0x2a /dev/srN for the offending drive? This mode page is usually much smaller

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-05 Thread Kefeng Wang
Hi all, On 2017/3/3 18:17, Kefeng Wang wrote: > 'n = header_length + block_descriptor_length' could be greater than 512, > and will lead to oob access, so enlarge transfer buffer to fix it. I am not familiar with scsi protocol,so the patch may be wrong. Question, is it reasonable for

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-05 Thread Kefeng Wang
Hi all, On 2017/3/3 18:17, Kefeng Wang wrote: > 'n = header_length + block_descriptor_length' could be greater than 512, > and will lead to oob access, so enlarge transfer buffer to fix it. I am not familiar with scsi protocol,so the patch may be wrong. Question, is it reasonable for

[PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-03 Thread Kefeng Wang
'n = header_length + block_descriptor_length' could be greater than 512, and will lead to oob access, so enlarge transfer buffer to fix it. === BUG: KASAN: slab-out-of-bounds in sr_probe+0x570/0xcc0 at addr 8809020e Read of size 1 by task kworker/u48:2/188 Signed-off-by: Kefeng Wang

[PATCH] scsi: sr: fix oob access in get_capabilities

2017-03-03 Thread Kefeng Wang
'n = header_length + block_descriptor_length' could be greater than 512, and will lead to oob access, so enlarge transfer buffer to fix it. === BUG: KASAN: slab-out-of-bounds in sr_probe+0x570/0xcc0 at addr 8809020e Read of size 1 by task kworker/u48:2/188 Signed-off-by: Kefeng Wang ---