On Thu, 2016-03-03 at 00:31 -0500, Douglas Gilbert wrote: > This patch is in response to this report: > http://www.spinics.net/lists/linux-scsi/msg93456.html > > One of the strange things that the original sg driver did was let > the user provide both a data-out buffer (it followed the > sg_header+cdb) _and_ specify a reply length greater than zero. What > happened was that the user data-out buffer was copied into some > kernel buffers and then the mid level was told a read type operation > would take place with the data from the device overwriting the same > kernel buffers. The user would then read those kernel buffers back > into the user space. > > From what I can tell, the above action was broken by a change in > 2008 and syzkaller found that out recently. > > ChangeLog: > make sure that a user space pointer is passed through > when data follows the sg_header structure and command. > Fix the abnormal case when a non-zero reply_len is also > given. > > Signed-off-by: Douglas Gilbert <dgilbert@xxxxxxxxxxxx> This looks correct to me. hp->dxferp used to be set unconditionally, but commit fad7f01e changed it to only be set in the SG_DXFER_TO_DEV case. Reviewed-by: Ewan D. Milne <emilne@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
