From 6d53a9fe5a1983490bc14b3a64d49fabb4ccc651 Mon Sep 17 00:00:00 2001 From: Peilin Ye Date: Fri, 2 Oct 2020 10:22:23 -0400 Subject: block/scsi-ioctl: Fix kernel-infoleak in scsi_put_cdrom_generic_arg() scsi_put_cdrom_generic_arg() is copying uninitialized stack memory to userspace, since the compiler may leave a 3-byte hole in the middle of `cgc32`. Fix it by adding a padding field to `struct compat_cdrom_generic_command`. Cc: stable@vger.kernel.org Fixes: f3ee6e63a9df ("compat_ioctl: move CDROM_SEND_PACKET handling into scsi") Suggested-by: Dan Carpenter Suggested-by: Arnd Bergmann Reported-by: syzbot+85433a479a646a064ab3@syzkaller.appspotmail.com Signed-off-by: Peilin Ye Signed-off-by: Jens Axboe --- block/scsi_ioctl.c | 1 + 1 file changed, 1 insertion(+) (limited to 'block') diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c index ef722f04f88a..72108404718f 100644 --- a/block/scsi_ioctl.c +++ b/block/scsi_ioctl.c @@ -651,6 +651,7 @@ struct compat_cdrom_generic_command { compat_int_t stat; compat_caddr_t sense; unsigned char data_direction; + unsigned char pad[3]; compat_int_t quiet; compat_int_t timeout; compat_caddr_t reserved[1]; -- cgit v1.2.3 From 7370997d48520ad923e8eb4deb59ebf290396202 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Wed, 7 Oct 2020 14:40:09 +0200 Subject: partitions/ibm: fix non-DASD devices Don't error out if the dasd_biodasdinfo symbol is not available. Cc: stable@vger.kernel.org Fixes: 26d7e28e3820 ("s390/dasd: remove ioctl_by_bdev calls") Reported-by: Christian Borntraeger Signed-off-by: Christoph Hellwig Tested-by: Christian Borntraeger Reviewed-by: Stefan Haberland Signed-off-by: Jens Axboe --- block/partitions/ibm.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'block') diff --git a/block/partitions/ibm.c b/block/partitions/ibm.c index d6e18df9c53c..4b044e620d35 100644 --- a/block/partitions/ibm.c +++ b/block/partitions/ibm.c @@ -305,8 +305,6 @@ int ibm_partition(struct parsed_partitions *state) if (!disk->fops->getgeo) goto out_exit; fn = symbol_get(dasd_biodasdinfo); - if (!fn) - goto out_exit; blocksize = bdev_logical_block_size(bdev); if (blocksize <= 0) goto out_symbol; @@ -326,7 +324,7 @@ int ibm_partition(struct parsed_partitions *state) geo->start = get_start_sect(bdev); if (disk->fops->getgeo(bdev, geo)) goto out_freeall; - if (fn(disk, info)) { + if (!fn || fn(disk, info)) { kfree(info); info = NULL; } @@ -370,7 +368,8 @@ out_nolab: out_nogeo: kfree(info); out_symbol: - symbol_put(dasd_biodasdinfo); + if (fn) + symbol_put(dasd_biodasdinfo); out_exit: return res; } -- cgit v1.2.3