On 2/16/22 01:25, Haimin Zhang wrote: > Yeah, but I think sg_scsi_ioctl is just one of situations that use this uninitialize buffer, the root cause is still in bio_copy_kern. It should zero the buffer when allocates a new page for a bio. > no top posting > On 2022/2/16, 5:12 PM, "Chaitanya Kulkarni" <chaitanyak@xxxxxxxxxx> wrote: > > On 2/16/22 00:40, Haimin Zhang wrote: > > Add __GFP_ZERO flag for alloc_page in function bio_copy_kern to initialize > > the buffer of a bio. > > > > Signed-off-by: Haimin Zhang <tcs.kernel@xxxxxxxxx> > > --- > > This can cause a kernel-info-leak problem. > > 0. This problem occurred in function scsi_ioctl. If the parameter cmd is SCSI_IOCTL_SEND_COMMAND, the function scsi_ioctl will call sg_scsi_ioctl to further process. > > 1. In function sg_scsi_ioctl, it creates a scsi request and calls blk_rq_map_kern to map kernel data to a request. > > 3. blq_rq_map_kern calls bio_copy_kern to request a bio. > > 4. bio_copy_kern calls alloc_page to request the buffer of a bio. In the case of reading, it wouldn't fill anything into the buffer. > > but blk_rq_map_kern() does accept gfp_mask for exactly this same case > and that is passed on to the bio_copy_kern() unless I'm wrong here, > so you need to pass the __GFP_ZERO flag in the step 3 above > (sg_scsi_ioctl) and not force zzeroed allocation the generic API.. > > -ck > > > > and there is a way to fix it by passing the right gfp flag for scsi case why modify core code ? in absence of flag I can understand but that is not the case ... -ck
