From patchwork Mon Jul 24 20:43:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tony Battersby X-Patchwork-Id: 125197 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp2059986vqg; Mon, 24 Jul 2023 14:20:24 -0700 (PDT) X-Google-Smtp-Source: APBJJlFJxgTI+F58ww3NpotVL6dlzpDX4CZAC81f/0aVHsk1uwKLSlAD77KJzouc8rw/TZHaPoxV X-Received: by 2002:a17:902:be07:b0:1ac:7245:ba5a with SMTP id r7-20020a170902be0700b001ac7245ba5amr7779974pls.61.1690233623994; Mon, 24 Jul 2023 14:20:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690233623; cv=none; d=google.com; s=arc-20160816; b=PxRX314wYBYN4hIw7xhxU8lLz1rHxwv82aja/Gs6vn41jJM0tFHeV4FRJeadH8/cq1 ahsRzkbIx0JMmmUp1+rXeZJKpJnO19JoTvQ4JD/r9Jix/DgnnDupgunrmi6bLXxBMJeJ sw8vrO9MzhLbIJZgPVBnI+BNYo/1nyZNQNFZ3Q4Q/8EDfOsyZ1W4kIOqkdKp0rBWzwU8 bprC7d5qqdkTIaP0sjzYJ91YqcGvFHg6ALIc6Hs/IuLcYT920x4wTiWWcB/ayd5bK0Bn YBpdGyxIg0DQaCq07FRfxEVEoX0Mj5NtE3YQbquOsFUJbnNM4RSzz6L4VZaQXcrWUclv 2oiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:subject:from:cc:to :content-language:user-agent:mime-version:date:message-id :dkim-signature; bh=vEkIZa3trZFApyXz99Xah7C6lrxYHNxCiLNzQIDhMWs=; fh=DK5ixPM4vn+iko8rOvMg1qOyVC/+MTI3u+tjjQRZ4Oc=; b=LUCy8/0j3ksQQRGIH0s7V39KJ1pXe3k3VxAKAZV7w/q6ikHnCh6/lSjBzW5arjvFJH hvvX3eb+A72hm/m7MtHlpudlags108U3ZFTACSRRfszYewsuKRmGJMVJT/Fri4X7QyDS 0d2MHP74e7Pc2mWKWz503sXSqqIvWGZRmpe1xzVrZMdoy5C/Ngt9Ce83FfsWoC/bexcE 3HxFyOKYIgI4AWDYOrk+Dwc5BPtxQrNJ1EPbJCoBX6LuaoJSygEOvsoJraFPG8WMXLl2 +QOwDctNbRvZxhS5aBrolGOxEORcG5F9O/gmpZI9HkYZRJBE4Z8BZyYjdZ1Kmue2F281 5GWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cybernetics.com header.s=mail header.b=TJgzCvxU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cybernetics.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x14-20020a170902ec8e00b001b8a8f359fcsi10393952plg.208.2023.07.24.14.20.00; Mon, 24 Jul 2023 14:20:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@cybernetics.com header.s=mail header.b=TJgzCvxU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cybernetics.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229828AbjGXU5c (ORCPT + 99 others); Mon, 24 Jul 2023 16:57:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229831AbjGXU5a (ORCPT ); Mon, 24 Jul 2023 16:57:30 -0400 X-Greylist: delayed 812 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 24 Jul 2023 13:57:27 PDT Received: from mail.cybernetics.com (mail.cybernetics.com [72.215.153.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B0C0610FD for ; Mon, 24 Jul 2023 13:57:27 -0700 (PDT) X-ASG-Debug-ID: 1690231433-1cf4391f2718a3f0001-xx1T2L Received: from cybernetics.com ([10.10.4.126]) by mail.cybernetics.com with ESMTP id ckntnvKwGMAvM1j7; Mon, 24 Jul 2023 16:43:53 -0400 (EDT) X-Barracuda-Envelope-From: tonyb@cybernetics.com X-Barracuda-RBL-Trusted-Forwarder: 10.10.4.126 X-ASG-Whitelist: Client DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cybernetics.com; s=mail; bh=vEkIZa3trZFApyXz99Xah7C6lrxYHNxCiLNzQIDhMWs=; h=Content-Transfer-Encoding:Content-Type:Subject:From:Cc:To:Content-Language: MIME-Version:Date:Message-ID; b=TJgzCvxUcbSYTrmpYpWVwQOrCp+CPrbFkLQnnYppKgqSd m/DrIaLt5YEWsGABC6MjJ4p453KT3JLJu7OUMfQoMjkiPzswNpPHy/vKKjAm83lkCj6TprFA9kGie eemaYwGCuE/S2zS/g9DU5vBXvVbZuffEI135bHcV3zJaVt1X0= Received: from [10.157.2.224] (HELO [192.168.200.1]) by cybernetics.com (CommuniGate Pro SMTP 7.1.1) with ESMTPS id 12730561; Mon, 24 Jul 2023 16:43:53 -0400 Message-ID: X-Barracuda-RBL-Trusted-Forwarder: 10.157.2.224 Date: Mon, 24 Jul 2023 16:43:53 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US To: "James E.J. Bottomley" , "Martin K. Petersen" , Willy Tarreau Cc: linux-scsi , "linux-kernel@vger.kernel.org" From: Tony Battersby Subject: [PATCH RFC] scsi {add,remove}-single-device and /proc/scsi/scsi X-ASG-Orig-Subj: [PATCH RFC] scsi {add,remove}-single-device and /proc/scsi/scsi X-Barracuda-Connect: UNKNOWN[10.10.4.126] X-Barracuda-Start-Time: 1690231433 X-Barracuda-URL: https://10.10.4.122:443/cgi-mod/mark.cgi X-Barracuda-BRTS-Status: 0 X-Virus-Scanned: by bsmtpd at cybernetics.com X-Barracuda-Scan-Msg-Size: 4248 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772338412497787606 X-GMAIL-MSGID: 1772338412497787606 I am trying to fix a bug in the parser for these commands: echo "scsi add-single-device host channel id lun" > /proc/scsi/scsi echo "scsi remove-single-device host channel id lun" > /proc/scsi/scsi With the current parser, if you omit some of the fields (for example the lun), then the kernel will usually fill in the missing parameters with a 0, but on rare occasion it might supply something else.  So my question for linux-scsi is: does anyone rely on omitting some of the parameters in the cmds above and expect the kernel to supply 0 for the missing parameters (for example lun is often 0)?  If so, then I can make the parser always supply a 0 for the missing parameters.  If not, then I can make the parser return an error if there are paramters missing, on the theory that guessing which device to add or remove is a bad idea. Below is the patch to return an error for a missing parameter.  The patch to use 0 instead of returning an error is similar but intead of goto uses: host = (p < end) ? simple_strtoul(p, &p, 0) : 0; channel = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; id = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; lun = (p + 1 < end) ? simple_strtoul(p + 1, &p, 0) : 0; --- From 4f8f3291b18fddb2cf75581a2a2cf847fd2896a7 Mon Sep 17 00:00:00 2001 From: Tony Battersby Date: Fri, 21 Jul 2023 11:12:27 -0400 Subject: [PATCH] scsi: core: fix parsing of scsi {add,remove}-single-device When parsing the "scsi add-single-device" and "scsi remove-single-device" commands written to /proc/scsi/scsi, make sure the parser doesn't skip over the NUL string terminator and read past the end of the user-supplied string. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Tony Battersby --- drivers/scsi/scsi_proc.c | 48 +++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 11 deletions(-) diff --git a/drivers/scsi/scsi_proc.c b/drivers/scsi/scsi_proc.c index 4a6eb1741be0..b27c8da83e62 100644 --- a/drivers/scsi/scsi_proc.c +++ b/drivers/scsi/scsi_proc.c @@ -406,7 +406,7 @@ static ssize_t proc_scsi_write(struct file *file, const char __user *buf, size_t length, loff_t *ppos) { int host, channel, id, lun; - char *buffer, *p; + char *buffer, *end, *p; int err; if (!buf || length > PAGE_SIZE) @@ -421,10 +421,14 @@ static ssize_t proc_scsi_write(struct file *file, const char __user *buf, goto out; err = -EINVAL; - if (length < PAGE_SIZE) - buffer[length] = '\0'; - else if (buffer[PAGE_SIZE-1]) - goto out; + if (length < PAGE_SIZE) { + end = buffer + length; + *end = '\0'; + } else { + end = buffer + PAGE_SIZE - 1; + if (*end) + goto out; + } /* * Usage: echo "scsi add-single-device 0 1 2 3" >/proc/scsi/scsi @@ -432,11 +436,22 @@ static ssize_t proc_scsi_write(struct file *file, const char __user *buf, */ if (!strncmp("scsi add-single-device", buffer, 22)) { p = buffer + 23; + if (p >= end) + goto out; host = simple_strtoul(p, &p, 0); - channel = simple_strtoul(p + 1, &p, 0); - id = simple_strtoul(p + 1, &p, 0); - lun = simple_strtoul(p + 1, &p, 0); + if (++p >= end) + goto out; + + channel = simple_strtoul(p, &p, 0); + if (++p >= end) + goto out; + + id = simple_strtoul(p, &p, 0); + if (++p >= end) + goto out; + + lun = simple_strtoul(p, &p, 0); err = scsi_add_single_device(host, channel, id, lun); @@ -446,11 +461,22 @@ static ssize_t proc_scsi_write(struct file *file, const char __user *buf, */ } else if (!strncmp("scsi remove-single-device", buffer, 25)) { p = buffer + 26; + if (p >= end) + goto out; host = simple_strtoul(p, &p, 0); - channel = simple_strtoul(p + 1, &p, 0); - id = simple_strtoul(p + 1, &p, 0); - lun = simple_strtoul(p + 1, &p, 0); + if (++p >= end) + goto out; + + channel = simple_strtoul(p, &p, 0); + if (++p >= end) + goto out; + + id = simple_strtoul(p, &p, 0); + if (++p >= end) + goto out; + + lun = simple_strtoul(p, &p, 0); err = scsi_remove_single_device(host, channel, id, lun); }