From nobody Sun May 10 21:18:08 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1F05C433F5 for ; Sat, 23 Apr 2022 19:19:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236873AbiDWTWX (ORCPT ); Sat, 23 Apr 2022 15:22:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229491AbiDWTWV (ORCPT ); Sat, 23 Apr 2022 15:22:21 -0400 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3BDA1DA401 for ; Sat, 23 Apr 2022 12:19:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1650741561; bh=/RKB2jRgAU16VoNM+zrBlmdZGZchtI/lZWSgcosPGv0=; h=Message-ID:Subject:From:To:Date:From; b=Gyk8pm46wmYR0N4nk0lEnMA6k4Tsqvc81v+4gQa+unWZJHCakGfWRWMvFyr6C4728 s3vXls3mHR2Sng4A0lzishLQM1SM3lJlnkJUbqEaC85DqmuGrGmMUM4146S3bki37J 5qREEHzgWAEpBRi223LSjd65DCdyl8pLhn87xo5Y= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 113D71280E1D; Sat, 23 Apr 2022 15:19:21 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CzsH_sy5tZhX; Sat, 23 Apr 2022 15:19:21 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1650741560; bh=/RKB2jRgAU16VoNM+zrBlmdZGZchtI/lZWSgcosPGv0=; h=Message-ID:Subject:From:To:Date:From; b=eYSp0gDLABNLMzlkpOrFPLsYZ/YorM+/msyNLC1xCbh2TycDRsdzI8WSTN9kjC0br M6jvSa/zSs6rITkQmP/OAAdtOxLQXCIueyfFDTX+5kHZhA+O4HgG49VU1zk2gYZ599 gqv8sK5y8UDjza+85vlpbQpT6e/5nlrhvH0JS2Ns= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4300:c551::c14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 750051280DC6; Sat, 23 Apr 2022 15:19:20 -0400 (EDT) Message-ID: Subject: [GIT PULL] SCSI fixes for 5.18-rc3 From: James Bottomley To: Andrew Morton , Linus Torvalds Cc: linux-scsi , linux-kernel Date: Sat, 23 Apr 2022 15:19:19 -0400 User-Agent: Evolution 3.34.4 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" One fix for an information leak caused by copying a buffer to userspace without checking for error first in the sr driver. The patch is available here: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git scsi-fixes The short changelog is: Tom Rix (1): scsi: sr: Do not leak information in ioctl And the diffstat: drivers/scsi/sr_ioctl.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) With full diff below. James --- diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c index ddd00efc4882..fbdb5124d7f7 100644 --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -41,7 +41,7 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, int result; unsigned char *buffer; =20 - buffer =3D kmalloc(32, GFP_KERNEL); + buffer =3D kzalloc(32, GFP_KERNEL); if (!buffer) return -ENOMEM; =20 @@ -55,10 +55,13 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, cgc.data_direction =3D DMA_FROM_DEVICE; =20 result =3D sr_do_ioctl(cd, &cgc); + if (result) + goto err; =20 tochdr->cdth_trk0 =3D buffer[2]; tochdr->cdth_trk1 =3D buffer[3]; =20 +err: kfree(buffer); return result; } @@ -71,7 +74,7 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, int result; unsigned char *buffer; =20 - buffer =3D kmalloc(32, GFP_KERNEL); + buffer =3D kzalloc(32, GFP_KERNEL); if (!buffer) return -ENOMEM; =20 @@ -86,6 +89,8 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, cgc.data_direction =3D DMA_FROM_DEVICE; =20 result =3D sr_do_ioctl(cd, &cgc); + if (result) + goto err; =20 tocentry->cdte_ctrl =3D buffer[5] & 0xf; tocentry->cdte_adr =3D buffer[5] >> 4; @@ -98,6 +103,7 @@ static int sr_read_tocentry(struct cdrom_device_info *cd= i, tocentry->cdte_addr.lba =3D (((((buffer[8] << 8) + buffer[9]) << 8) + buffer[10]) << 8) + buffer[11]; =20 +err: kfree(buffer); return result; } @@ -384,7 +390,7 @@ int sr_get_mcn(struct cdrom_device_info *cdi, struct cd= rom_mcn *mcn) { Scsi_CD *cd =3D cdi->handle; struct packet_command cgc; - char *buffer =3D kmalloc(32, GFP_KERNEL); + char *buffer =3D kzalloc(32, GFP_KERNEL); int result; =20 if (!buffer) @@ -400,10 +406,13 @@ int sr_get_mcn(struct cdrom_device_info *cdi, struct = cdrom_mcn *mcn) cgc.data_direction =3D DMA_FROM_DEVICE; cgc.timeout =3D IOCTL_TIMEOUT; result =3D sr_do_ioctl(cd, &cgc); + if (result) + goto err; =20 memcpy(mcn->medium_catalog_number, buffer + 9, 13); mcn->medium_catalog_number[13] =3D 0; =20 +err: kfree(buffer); return result; }