Skip to content
Snippets Groups Projects
Commit 0f6fcb8c authored by Linus Torvalds's avatar Linus Torvalds Committed by Yongqiang Liu
Browse files

scsi: stex: Properly zero out the passthrough command structure

stable inclusion
from stable-v4.19.262
commit a99c5e38dc6c3dc3da28489b78db09a4b9ffc8c3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5ROPX
CVE: CVE-2022-40768

-------------------------------

commit 6022f210461fef67e6e676fd8544ca02d1bcfa7a upstream.

The passthrough structure is declared off of the stack, so it needs to be
set to zero before copied back to userspace to prevent any unintentional
data leakage.  Switch things to be statically allocated which will fill the
unused fields with 0 automatically.

Link: https://lore.kernel.org/r/YxrjN3OOw2HHl9tx@kroah.com


Cc: stable@kernel.org
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: default avatarhdthky <hdthky0@gmail.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarLu Jialin <lujialin4@huawei.com>
Reviewed-by: default avatarGONG Ruiqi <gongruiqi1@huawei.com>
Reviewed-by: default avatarCai Xinchen <caixinchen1@huawei.com>
Reviewed-by: default avatarWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: default avatarYongqiang Liu <liuyongqiang13@huawei.com>
parent 09135a1c
No related tags found
No related merge requests found
...@@ -673,16 +673,17 @@ stex_queuecommand_lck(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *)) ...@@ -673,16 +673,17 @@ stex_queuecommand_lck(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *))
return 0; return 0;
case PASSTHRU_CMD: case PASSTHRU_CMD:
if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) { if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {
struct st_drvver ver; const struct st_drvver ver = {
.major = ST_VER_MAJOR,
.minor = ST_VER_MINOR,
.oem = ST_OEM,
.build = ST_BUILD_VER,
.signature[0] = PASSTHRU_SIGNATURE,
.console_id = host->max_id - 1,
.host_no = hba->host->host_no,
};
size_t cp_len = sizeof(ver); size_t cp_len = sizeof(ver);
ver.major = ST_VER_MAJOR;
ver.minor = ST_VER_MINOR;
ver.oem = ST_OEM;
ver.build = ST_BUILD_VER;
ver.signature[0] = PASSTHRU_SIGNATURE;
ver.console_id = host->max_id - 1;
ver.host_no = hba->host->host_no;
cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len); cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);
cmd->result = sizeof(ver) == cp_len ? cmd->result = sizeof(ver) == cp_len ?
DID_OK << 16 | COMMAND_COMPLETE << 8 : DID_OK << 16 | COMMAND_COMPLETE << 8 :
......
...@@ -233,7 +233,7 @@ static inline struct scsi_data_buffer *scsi_out(struct scsi_cmnd *cmd) ...@@ -233,7 +233,7 @@ static inline struct scsi_data_buffer *scsi_out(struct scsi_cmnd *cmd)
} }
static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd, static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd,
void *buf, int buflen) const void *buf, int buflen)
{ {
return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd), return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),
buf, buflen); buf, buflen);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment