On Wed, Jun 12, 2019 at 11:34:41AM +0800, Ming Lei wrote: > On Tue, Jun 11, 2019 at 11:09:51PM -0400, Martin K. Petersen wrote: > > > > James, > > > > > Studying the issue further, I think we have to do the rebase. The > > > problem is that any driver which hasn't been updated can be persuaded > > > to walk of the end of the request and dereference the next struct > > > request. It's not impossible for userspace to set up both requests, > > > so it looks like this could be used at least to leak information from > > > the kernel if not exploit it outright. I think that means we have to > > > have every driver updated before this goes in. > > > > I agree in theory. Although, regardless of ordering of the commits, this > > would still be a single pull request for 5.3. So it's not like there > > would be a kernel release with this flaw exposed. Assuming all drivers > > get fixed. > > > > Hence my concerns about breaking bisection. Not in terms of being able > > to build, but in terms of being able to test intermediate commits on > > systems with the affected drivers. > > > > Ming: Please audit all drivers, including ones that live outside of > > drivers/scsi but which use the midlayer such a s390, USB, libata, > > etc. Just to make sure we've got all of them covered. > > OK, I am studying coccinelle, and should figure out one semantic patch > for covering all these drivers. Looks the following semantic patch is working, if you are fine with it, I will start to work out patches with this coccinelle semantic path: @@ struct scatterlist *p; @@ ( - p++ + p = sg_next(p) | - p-- + p = sg_non_exist_prev(p) | - p += 1 + p = sg_next(p) | - p -= 1 + p = sg_non_exist_prev(p) | - p = p + 1 + p = sg_next(p) | - p = p - 1 + p = sg_non_exit_prev(p) ) @@ struct scatterlist *p; expression data != 0; @@ - p[data] + '!!!!!!use sg iterator helper!!!!!!' @@ struct scatterlist[] p; expression data != 0; @@ - p[data] + '!!!!!!use sg iterator helper!!!!!!' Thanks, Ming
