On Fri, Mar 19, 2021 at 12:13:05AM +0900, Keith Busch wrote: > On Thu, Mar 18, 2021 at 08:26:21PM +0800, Jason Yan wrote: > > When the user submitted a request with unaligned buffer, we will > > allocate a new page and try to copy data to or from the new page. > > If it is a reading request, we always copy back the data to user's > > buffer, whether the result is good or error. So if the driver or > > hardware returns an error, garbage data is copied to the user space. > > This is a potential security issue which makes kernel info leaks. > > > > So do not copy the uninitalized data to user's buffer if the > > bio->bi_status is not BLK_STS_OK in bio_copy_kern_endio_read(). > > If we're using copy_kern routines, doesn't that mean it's a kernel > request rather than user space? It can be a kernel bounce buffer, which will be copied to user space later, such as sg_scsi_ioctl(), but sg_scsi_ioctl() checks the request result and not copy kernel buffer back in case of error. Seems other cases are all kernel request. -- Ming
