On Mon, Dec 10, 2018 at 06:14:16PM +0000, Ben Hutchings wrote:
From: Jens Axboe axboe@kernel.dk
commit f7068114d45ec55996b9040e98111afa56e010fe upstream.
We're casting the CDROM layer request_sense to the SCSI sense buffer, but the former is 64 bytes and the latter is 96 bytes. As we generally allocate these on the stack, we end up blowing up the stack.
Fix this by wrapping the scsi_execute() call with a properly sized sense buffer, and copying back the bits for the CDROM layer.
Reported-by: Piotr Gabriel Kosinski pg.kosinski@gmail.com Reported-by: Daniel Shapira daniel@twistlock.com Tested-by: Kees Cook keescook@chromium.org Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Jens Axboe axboe@kernel.dk [bwh: Despite what the "Fixes" field says, a buffer overrun was already possible if the sense data was really > 64 bytes long. Backported to 4.9:
- We always need to allocate a sense buffer in order to call scsi_normalize_sense()
- Remove the existing conditional heap-allocation of the sense buffer]
Signed-off-by: Ben Hutchings ben.hutchings@codethink.co.uk
Queued for 4.9, thank you.
-- Thanks, Sasha