Commit 50fb928d authored May 10, 2024 by Damien Le Moal Committed by Li Nan May 10, 2024

scsi: sd: Fix sd_do_mode_sense() buffer length handling

mainline inclusion
from mainline-v5.16-rc1
commit c749301e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9FNFK
CVE: CVE-2021-47182

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c749301ebee82eb5e97dec14b6ab31a4aabe37a6

--------------------------------

For devices that explicitly asked for MODE SENSE(10) use, make sure that
scsi_mode_sense() is called with a buffer of at least 8 bytes so that the
sense header fits.

Link: https://lore.kernel.org/r/20210820070255.682775-4-damien.lemoal@wdc.com


Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Fixes: 46708639bcd8 ("[Backport] scsi: core: Fix scsi_mode_sense() buffer length handling")
Signed-off-by: Li Nan <linan122@huawei.com>

parent f238d4e5

drivers/scsi/sd.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -2657,6 +2657,13 @@ sd_do_mode_sense(struct scsi_disk *sdkp, int dbd, int modepage,
		unsigned char buffer, int len, struct scsi_mode_data data,
		struct scsi_sense_hdr *sshdr)
		{
		/*
		* If we must use MODE SENSE(10), make sure that the buffer length
		* is at least 8 bytes so that the mode sense header fits.
		*/
		if (sdkp->device->use_10_for_ms && len < 8)
		len = 8;

		return scsi_mode_sense(sdkp->device, dbd, modepage, buffer, len,
		SD_TIMEOUT, sdkp->max_retries, data,
		sshdr);