From patchwork Thu May 14 21:55:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pavel Machek X-Patchwork-Id: 11549889 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5795A138A for ; Thu, 14 May 2020 21:56:00 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8E4BA20727 for ; Thu, 14 May 2020 21:55:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="m++NYm78" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8E4BA20727 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ucw.cz Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+4621+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id D6HsYY4521763xiGYyJ3SmKt; Thu, 14 May 2020 14:55:59 -0700 X-Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [46.255.230.98]) by mx.groups.io with SMTP id smtpd.web11.2015.1589493357458628907 for ; Thu, 14 May 2020 14:55:58 -0700 X-Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id B5FE11C0288; Thu, 14 May 2020 23:55:53 +0200 (CEST) Date: Thu, 14 May 2020 23:55:52 +0200 From: "Pavel Machek" To: cip-dev@lists.cip-project.org Subject: [cip-dev] CVE-2020-12770: easy backport of sg code Message-ID: <20200514215552.GA18872@amd> MIME-Version: 1.0 User-Agent: Mutt/1.5.23 (2014-03-12) Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: f9hakpIKWRDEae6YcpuuQybfx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1589493359; bh=NXXlHMN6LupYjAX/eDFjaXEWF1ibWndUkldKDzeafQg=; h=Content-Type:Date:From:Reply-To:Subject:To; b=m++NYm78TTPLxJ+oHeOQAqPr0Pot27LqPVMPypssr3UvMlv0zEjuQR2I+wBqQCjf0tW lfIBjElukufEDSb9jlCSWeGDF4pg145kySGOgnrqiGuA6DFsG6q6k2GPWlG063MA8aXLk IbYiavuyI/T4JURgJhe6pDBTp4H9Z03CMFc= Hi! So let me investigate... Mainline fix is commit 83c6f2390040f188cc25b270b4befeb5628c1aee. Backport for 4.19 looks really easy, and I can't see anything wrong there: commit c45e3bcdebb204ef1ba1d00f41fe7ed39c4dd8cd Author: Pavel Machek Date: Thu May 14 23:47:42 2020 +0200 Backport. commit 83c6f2390040f188cc25b270b4befeb5628c1aee ... scsi: sg: add sg_remove_request in sg_write If the __copy_from_user function failed we need to call sg_remove_request in sg_write. Link: https://lore.kernel.org/r/610618d9-e983-fd56-ed0f-639428343af7@huawei.com Acked-by: Douglas Gilbert Signed-off-by: Wu Bo Signed-off-by: Martin K. Petersen And I don't see a problem with 4.4, either. Best regards, Pavel diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 8a254bb46a9b..4f00d3062bd6 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -694,8 +694,10 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) hp->flags = input_size; /* structure abuse ... */ hp->pack_id = old_hdr.pack_id; hp->usr_ptr = NULL; - if (__copy_from_user(cmnd, buf, cmd_size)) + if (__copy_from_user(cmnd, buf, cmd_size)) { + sg_remove_request(sfp, srp); return -EFAULT; + } /* * SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV, * but is is possible that the app intended SG_DXFER_TO_DEV, because there