From patchwork Thu Oct 13 17:52:39 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 2307
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp428879wrs;
        Thu, 13 Oct 2022 11:53:08 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM4ddwIWvlWnlezhHQKrcm71xI48DUadtvtP/PQQyIYqskbda+s6xRKs2yxH0Jvv5PldrP3w
X-Received: by 2002:a05:6a00:148a:b0:566:10d8:9404 with SMTP id
 v10-20020a056a00148a00b0056610d89404mr983261pfu.84.1665687187997;
        Thu, 13 Oct 2022 11:53:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1665687187; cv=none;
        d=google.com; s=arc-20160816;
        b=aU7PGpTyRYvqcmL++MmSGEkY+pxe5lVa1zRVIpgowsIQGzCeR+e+v6EM5YadQgYYPu
         EzBytpklflV6w/+mrf8QvzTM4xcI8e7wthQHtT+FE0W7mY2Qwqu+GodWlSl1qXF6FngS
         qHwJsu3zoUqRW9DBqAOEEz74KMUGC6JEoembKu3UrBQJKzMoSYGhB1SB6cIQk+EyBKdW
         7pbmiDPrzubmNy8nQbMJoZtZyulo9XBdCKMQo4d/nSOZmC4QENN0Z4k9Cm+5NmANWRLc
         hdnwVjjTc9N/PfJPsLlLLRgh5dJwJYESPdb6AELa6ACMhSeQDUmtARhELjkWQjNMeNlv
         x1JQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Ff1sfhbYt4wNMZToMMqfoJz0Tp7CspPLS6z4qn8xybY=;
        b=LWJ2eDtATBA5j68qU1eUEThJHDHDXw/sYov63usCbNjCgyPdYNQNtNN3lYwLC1tEC1
         tkMY8UoBFUQVexIKiaTRqruiLFTEReJ6bFpteEO69IvLlvOshIf9PAlKucg5ZX1+U2HA
         WMCalR0HVXmXjXMjfh2uiVHFLWUpSnkWo3XwrdyXEBuWgljA59IB0AdtqkcAUlZOc23l
         lv/9rfcYTiawyXlh4x6ePdgoAQ0UrqCpVOKocoKEpyh9naFfqt2dxH6Amizh0fXBZ2zJ
         +vutmH3xsrOHZYrDSJX6wV+nQIUwXhclAgjFeQKazrcDXX/3EZ7sO+71eV/49f4kt75k
         XRhw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=A+ApL6v5;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 32-20020a631160000000b0044ca7935603si121097pgr.723.2022.10.13.11.52.55;
        Thu, 13 Oct 2022 11:53:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=A+ApL6v5;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230362AbiJMSha (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others);
        Thu, 13 Oct 2022 14:37:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53924 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230521AbiJMShO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Oct 2022 14:37:14 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CDBA5A179;
        Thu, 13 Oct 2022 11:33:50 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id C0434618F6;
        Thu, 13 Oct 2022 17:58:48 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id BE6F1C433D6;
        Thu, 13 Oct 2022 17:58:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1665683928;
        bh=x7A1adjUptimaKDZhEh8tjdedfNekZQ065ZaBO3l1Ig=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=A+ApL6v5gwMiuD7nXnHz9Kkbmk48bBOyCBUeMZXgi55qlSwYutwrR8JB/WSnV9Jbi
         ihvHwG4c8rYW8NE+J/9tT73NLsEK1bPoFO4YCLxdszRR9SrbJoYaUw66FQ8pUOiFfL
         DyHZICZUHXdfjZh+g8YdHrh8diJcOhOsMzRxCtYI=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, stable@kernel.org,
        "James E.J. Bottomley" <jejb@linux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        hdthky <hdthky0@gmail.com>,
        Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.15 10/27] scsi: stex: Properly zero out the passthrough
 command structure
Date: Thu, 13 Oct 2022 19:52:39 +0200
Message-Id: <20221013175143.903886116@linuxfoundation.org>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221013175143.518476113@linuxfoundation.org>
References: <20221013175143.518476113@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1746599609343948893?=
X-GMAIL-MSGID: =?utf-8?q?1746599609343948893?=

From: Linus Torvalds <torvalds@linux-foundation.org>

commit 6022f210461fef67e6e676fd8544ca02d1bcfa7a upstream.

The passthrough structure is declared off of the stack, so it needs to be
set to zero before copied back to userspace to prevent any unintentional
data leakage.  Switch things to be statically allocated which will fill the
unused fields with 0 automatically.

Link: https://lore.kernel.org/r/YxrjN3OOw2HHl9tx@kroah.com
Cc: stable@kernel.org
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: hdthky <hdthky0@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/stex.c      |   17 +++++++++--------
 include/scsi/scsi_cmnd.h |    2 +-
 2 files changed, 10 insertions(+), 9 deletions(-)

--- a/drivers/scsi/stex.c
+++ b/drivers/scsi/stex.c
@@ -665,16 +665,17 @@ stex_queuecommand_lck(struct scsi_cmnd *
 		return 0;
 	case PASSTHRU_CMD:
 		if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {
-			struct st_drvver ver;
+			const struct st_drvver ver = {
+				.major = ST_VER_MAJOR,
+				.minor = ST_VER_MINOR,
+				.oem = ST_OEM,
+				.build = ST_BUILD_VER,
+				.signature[0] = PASSTHRU_SIGNATURE,
+				.console_id = host->max_id - 1,
+				.host_no = hba->host->host_no,
+			};
 			size_t cp_len = sizeof(ver);
 
-			ver.major = ST_VER_MAJOR;
-			ver.minor = ST_VER_MINOR;
-			ver.oem = ST_OEM;
-			ver.build = ST_BUILD_VER;
-			ver.signature[0] = PASSTHRU_SIGNATURE;
-			ver.console_id = host->max_id - 1;
-			ver.host_no = hba->host->host_no;
 			cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);
 			if (sizeof(ver) == cp_len)
 				cmd->result = DID_OK << 16;
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -211,7 +211,7 @@ static inline unsigned int scsi_get_resi
 	for_each_sg(scsi_sglist(cmd), sg, nseg, __i)
 
 static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd,
-					   void *buf, int buflen)
+					   const void *buf, int buflen)
 {
 	return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),
 				   buf, buflen);