On Fri, Mar 19, 2021 at 09:36:40AM +0800, Ming Lei wrote: > On Fri, Mar 19, 2021 at 12:13:05AM +0900, Keith Busch wrote: > > On Thu, Mar 18, 2021 at 08:26:21PM +0800, Jason Yan wrote: > > > When the user submitted a request with unaligned buffer, we will > > > allocate a new page and try to copy data to or from the new page. > > > If it is a reading request, we always copy back the data to user's > > > buffer, whether the result is good or error. So if the driver or > > > hardware returns an error, garbage data is copied to the user space. > > > This is a potential security issue which makes kernel info leaks. > > > > > > So do not copy the uninitalized data to user's buffer if the > > > bio->bi_status is not BLK_STS_OK in bio_copy_kern_endio_read(). > > > > If we're using copy_kern routines, doesn't that mean it's a kernel > > request rather than user space? > > It can be a kernel bounce buffer, which will be copied to user space > later, such as sg_scsi_ioctl(), but sg_scsi_ioctl() checks the request > result and not copy kernel buffer back in case of error. Wow, that interface has said it was deprecated since 2006! And there doesn't appear to be any reason that it's not using blk_rq_map_user() instead, which already sanitizes bounce buffers copied back to user space.
