On 11/23/20 9:15 AM, Alexander Potapenko wrote: > Hi Christof, Jens, > > We've found a double-fetch in sg_scsi_ioctl() using a prototype tool > (see the report below). > > Turns out that sg_scsi_ioctl() reads the first byte of sic->data > twice: first when getting the opcode > (https://elixir.bootlin.com/linux/latest/source/block/scsi_ioctl.c#L439), > then when reading the command of the size calculated from that opcode > (https://elixir.bootlin.com/linux/latest/source/block/scsi_ioctl.c#L464). > > At this point opcode and req->cmd[0] may mismatch. > The opcode is then used to determine rq->timeout and req->retries, > whereas req->cmd[0] is used by the underlying device drivers. > Not sure invalid timeout or retries is a big deal, but since the > command length also depends on the opcode, it is possible to trick the > kernel into using the remnants of the previous command by first > announcing a short command and then changing the opcode to a longer > one. > > I've noticed that three years ago Meng Xu has reported the very same > bug already: https://patchwork.kernel.org/project/linux-block/patch/1505834638-37142-1-git-send-email-mengxu.gatech@xxxxxxxxx/ > Was there any followup to that patch? Doesn't look like it - Christoph made a suggestion, and then the original reporter didn't follow up. FWIW, I do agree that just copying it once is a better idea than copying twice and then copying the opcode again. -- Jens Axboe
