RE: [PATCH] scsi: aacraid: fix leak of data from stack back to userspace

2017-06-13 Thread Dave Carroll 
> -Original Message-
> From: Colin King [mailto:colin.k...@canonical.com]
> Sent: Monday, May 15, 2017 8:56 AM
> To: Raghava Aditya Renukunta <raghavaaditya.renuku...@microsemi.com>;
> dl-esc-Aacraid Linux Driver <aacr...@microsemi.com>; James E . J . Bottomley
> <j...@linux.vnet.ibm.com>; Martin K . Petersen
> <martin.peter...@oracle.com>; linux-scsi@vger.kernel.org
> Cc: kernel-janit...@vger.kernel.org; linux-ker...@vger.kernel.org
> Subject: [PATCH] scsi: aacraid: fix leak of data from stack back to userspace
> 
> From: Colin Ian King <colin.k...@canonical.com>
> 
> The fields sense_data_size and sense_data are unitialized garbage from the
> stack and are being copied back to userspace.  Fix this leak of stack 
> information
> by ensuring they are zero'd.
> 
> Detected by CoverityScan, CID#1435473 ("Uninitialized scalar variable")
> 
> Fixes: 423400e64d377 ("scsi: aacraid: Include HBA direct interface")
> Signed-off-by: Colin Ian King <colin.k...@canonical.com>
> ---
>  drivers/scsi/aacraid/commctrl.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
Acked-by: Dave Carroll <david.carr...@microsemi.com>

Re: [PATCH] scsi: aacraid: fix leak of data from stack back to userspace

2017-05-15 Thread walter harms 


Am 15.05.2017 16:56, schrieb Colin King:
> From: Colin Ian King 
> 
> The fields sense_data_size and sense_data are unitialized garbage from
> the stack and are being copied back to userspace.  Fix this leak of
> stack information by ensuring they are zero'd.
> 
> Detected by CoverityScan, CID#1435473 ("Uninitialized scalar variable")
> 
> Fixes: 423400e64d377 ("scsi: aacraid: Include HBA direct interface")
> Signed-off-by: Colin Ian King 
> ---
>  drivers/scsi/aacraid/commctrl.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
> index 106b9332f718..6bb6ed48e31d 100644
> --- a/drivers/scsi/aacraid/commctrl.c
> +++ b/drivers/scsi/aacraid/commctrl.c
> @@ -955,6 +955,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void 
> __user * arg)
>   reply.srb_status = SRB_STATUS_SUCCESS;
>   reply.scsi_status = 0;
>   reply.data_xfer_length = byte_count;
> + reply.sense_data_size = 0;
> + memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
>   } else {
>   reply.srb_status = err->service_response;
>   reply.scsi_status = err->status;


an other idea would be initialize the reply with zero:
struct aac_srb_reply reply={0};

maybe that is more future proof but i have no idea about the speed penalty.

just my 2 cents,
 wh

[PATCH] scsi: aacraid: fix leak of data from stack back to userspace

2017-05-15 Thread Colin King 
From: Colin Ian King 

The fields sense_data_size and sense_data are unitialized garbage from
the stack and are being copied back to userspace.  Fix this leak of
stack information by ensuring they are zero'd.

Detected by CoverityScan, CID#1435473 ("Uninitialized scalar variable")

Fixes: 423400e64d377 ("scsi: aacraid: Include HBA direct interface")
Signed-off-by: Colin Ian King 
---
 drivers/scsi/aacraid/commctrl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index 106b9332f718..6bb6ed48e31d 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -955,6 +955,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void 
__user * arg)
reply.srb_status = SRB_STATUS_SUCCESS;
reply.scsi_status = 0;
reply.data_xfer_length = byte_count;
+   reply.sense_data_size = 0;
+   memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
} else {
reply.srb_status = err->service_response;
reply.scsi_status = err->status;
-- 
2.11.0