Re: [PATCH fix] scsi_lib: make sure scsi_request.sense valid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2019-01-16 at 10:57 -0500, Douglas Gilbert wrote:
+AD4 The block layer assumes scsi+AF8-request:sense is always a valid
+AD4 pointer. This is set up once in scsi+AF8-mq+AF8-init+AF8-request() and the
+AD4 containing scsi+AF8-cmnd object is used often, being re-initialized
+AD4 by scsi+AF8-init+AF8-command(). That works unless some code re-purposes
+AD4 part of the scsi+AF8-cmnd object for something else. And that is
+AD4 what bidi handling does in scsi+AF8-mq+AF8-prep+AF8-fn(). The result is an
+AD4 oops at some later time when the partly overwritten object is
+AD4 re-used. The overwrite is from d285203cf647d but 'git blame'
+AD4 does not show removed code, so that commit may not be the
+AD4 culprit.
+AD4 
+AD4 Signed-off-by: Douglas Gilbert +ADw-dgilbert+AEA-interlog.com+AD4
+AD4 ---
+AD4 
+AD4 This was found while injecting errors (thus generating sense data)
+AD4 into a sequence of bidi commands. At some later time the block
+AD4 layer blew up with a scsi+AF8-request::sense NULL dereference in
+AD4 sg+AF8-rq+AF8-end+AF8-io(). Without testing I'm confident the bsg driver,
+AD4 the osd ULD and exofs are exposed to this bug.
+AD4 
+AD4  drivers/scsi/scsi+AF8-lib.c +AHw 1 +-
+AD4  1 file changed, 1 insertion(+-)
+AD4 
+AD4 diff --git a/drivers/scsi/scsi+AF8-lib.c b/drivers/scsi/scsi+AF8-lib.c
+AD4 index b13cc9288ba0..71259bd4040a 100644
+AD4 --- a/drivers/scsi/scsi+AF8-lib.c
+AD4 +-+-+- b/drivers/scsi/scsi+AF8-lib.c
+AD4 +AEAAQA -1175,6 +-1175,7 +AEAAQA void scsi+AF8-init+AF8-command(struct scsi+AF8-device +ACo-dev, struct scsi+AF8-cmnd +ACo-cmd)
+AD4  
+AD4  	cmd-+AD4-device +AD0 dev+ADs
+AD4  	cmd-+AD4-sense+AF8-buffer +AD0 buf+ADs
+AD4 +-	cmd-+AD4-req.sense +AD0 buf+ADs
+AD4  	cmd-+AD4-prot+AF8-sdb +AD0 prot+ADs
+AD4  	cmd-+AD4-flags +AD0 flags+ADs
+AD4  	INIT+AF8-DELAYED+AF8-WORK(+ACY-cmd-+AD4-abort+AF8-work, scmd+AF8-eh+AF8-abort+AF8-handler)+ADs

Hi Doug,

The description of this patch does not look correct to me. scsi+AF8-init+AF8-command()
does not overwrite the sense pointer. From the body of that function:

	/+ACo zero out the cmd, except for the embedded scsi+AF8-request +ACo-/
	memset((char +ACo)cmd +- sizeof(cmd-+AD4-req), 0,
		sizeof(+ACo-cmd) - sizeof(cmd-+AD4-req) +- dev-+AD4-host-+AD4-hostt-+AD4-cmd+AF8-size)+ADs

It is not clear to me which code overwrites the sense pointer. I think that
needs to be figured out before discussion of this patch can continue.

Thanks,

Bart.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux