On 2/16/22 00:40, Haimin Zhang wrote: > Add __GFP_ZERO flag for alloc_page in function bio_copy_kern to initialize > the buffer of a bio. > > Signed-off-by: Haimin Zhang <tcs.kernel@xxxxxxxxx> > --- > This can cause a kernel-info-leak problem. > 0. This problem occurred in function scsi_ioctl. If the parameter cmd is SCSI_IOCTL_SEND_COMMAND, the function scsi_ioctl will call sg_scsi_ioctl to further process. > 1. In function sg_scsi_ioctl, it creates a scsi request and calls blk_rq_map_kern to map kernel data to a request. > 3. blq_rq_map_kern calls bio_copy_kern to request a bio. > 4. bio_copy_kern calls alloc_page to request the buffer of a bio. In the case of reading, it wouldn't fill anything into the buffer. but blk_rq_map_kern() does accept gfp_mask for exactly this same case and that is passed on to the bio_copy_kern() unless I'm wrong here, so you need to pass the __GFP_ZERO flag in the step 3 above (sg_scsi_ioctl) and not force zzeroed allocation the generic API.. -ck
