在 2021/3/19 9:36, Ming Lei 写道:
On Fri, Mar 19, 2021 at 12:13:05AM +0900, Keith Busch wrote:
On Thu, Mar 18, 2021 at 08:26:21PM +0800, Jason Yan wrote:
When the user submitted a request with unaligned buffer, we will
allocate a new page and try to copy data to or from the new page.
If it is a reading request, we always copy back the data to user's
buffer, whether the result is good or error. So if the driver or
hardware returns an error, garbage data is copied to the user space.
This is a potential security issue which makes kernel info leaks.
So do not copy the uninitalized data to user's buffer if the
bio->bi_status is not BLK_STS_OK in bio_copy_kern_endio_read().
If we're using copy_kern routines, doesn't that mean it's a kernel
request rather than user space?
It can be a kernel bounce buffer, which will be copied to user space
later, such as sg_scsi_ioctl(), but sg_scsi_ioctl() checks the request
result and not copy kernel buffer back in case of error.
Seems other cases are all kernel request.
Hi Ming & Keith,
Actually in sg_scsi_ioctl() it is still a problem. And the garbage data
is bad both for user space and kernel space.
Please check this:
https://patchwork.kernel.org/project/linux-block/patch/20210319030128.1345061-3-yanaijie@xxxxxxxxxx/
https://patchwork.kernel.org/project/linux-block/patch/20210319030128.1345061-2-yanaijie@xxxxxxxxxx/
