Commit 6022f210 authored by Linus Torvalds's avatar Linus Torvalds Committed by Martin K. Petersen
Browse files

scsi: stex: Properly zero out the passthrough command structure 

The passthrough structure is declared off of the stack, so it needs to be
set to zero before copied back to userspace to prevent any unintentional
data leakage.  Switch things to be statically allocated which will fill the
unused fields with 0 automatically.

Link: https://lore.kernel.org/r/YxrjN3OOw2HHl9tx@kroah.com


Cc: stable@kernel.org
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: default avatarhdthky <hdthky0@gmail.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent f616efbe

drivers/scsi/stex.c

+9 −8
Original line number Diff line number Diff line
@@ -665,16 +665,17 @@ static int stex_queuecommand_lck(struct scsi_cmnd *cmd) 
		return 0;

	case PASSTHRU_CMD:

		if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {

			struct st_drvver ver;

			const struct st_drvver ver = {

				.major = ST_VER_MAJOR,

				.minor = ST_VER_MINOR,

				.oem = ST_OEM,

				.build = ST_BUILD_VER,

				.signature[0] = PASSTHRU_SIGNATURE,

				.console_id = host->max_id - 1,

				.host_no = hba->host->host_no,

			};

			size_t cp_len = sizeof(ver);



			ver.major = ST_VER_MAJOR;

			ver.minor = ST_VER_MINOR;

			ver.oem = ST_OEM;

			ver.build = ST_BUILD_VER;

			ver.signature[0] = PASSTHRU_SIGNATURE;

			ver.console_id = host->max_id - 1;

			ver.host_no = hba->host->host_no;

			cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);

			if (sizeof(ver) == cp_len)

				cmd->result = DID_OK << 16;

include/scsi/scsi_cmnd.h

+1 −1
Original line number Diff line number Diff line
@@ -201,7 +201,7 @@ static inline unsigned int scsi_get_resid(struct scsi_cmnd *cmd) 
	for_each_sg(scsi_sglist(cmd), sg, nseg, __i)



static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd,

					   void *buf, int buflen)

					   const void *buf, int buflen)

{

	return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),

				   buf, buflen);