block/scsi-ioctl: Fix kernel-infoleak in scsi_put_cdrom_generic_arg()

scsi_put_cdrom_generic_arg() is copying uninitialized stack memory to userspace, since the compiler may leave a 3-byte hole in the middle of `cgc32`. Fix it by adding a padding field to `struct compat_cdrom_generic_command`. Cc: stable@vger.kernel.org Fixes: f3ee6e63 ("compat_ioctl: move CDROM_SEND_PACKET handling into scsi") Suggested-by: Dan Carpenter <dan.carpenter@oracle.com> Suggested-by: Arnd Bergmann <arnd@arndb.de> Reported-by: syzbot+85433a479a646a064ab3@syzkaller.appspotmail.com Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>

block/scsi-ioctl: Fix kernel-infoleak in scsi_put_cdrom_generic_arg()
scsi_put_cdrom_generic_arg() is copying uninitialized stack memory to userspace, since the compiler may leave a 3-byte hole in the middle of `cgc32`. Fix it by adding a padding field to `struct compat_cdrom_generic_command`. Cc: stable@vger.kernel.org Fixes: f3ee6e63 ("compat_ioctl: move CDROM_SEND_PACKET handling into scsi") Suggested-by: Dan Carpenter <dan.carpenter@oracle.com> Suggested-by: Arnd Bergmann <arnd@arndb.de> Reported-by: syzbot+85433a479a646a064ab3@syzkaller.appspotmail.com Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
6d53a9fe · Peilin Ye · Jens Axboe · 632bfb63 · 6d53a9fe
Commit 6d53a9fe authored Oct 02, 2020 by Peilin Ye Committed by Jens Axboe Oct 02, 2020
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

block/scsi_ioctl.c block/scsi_ioctl.c +1 -0

No files found.
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -651,6 +651,7 @@ struct compat_cdrom_generic_command {
 	compat_int_t	stat;
 	compat_caddr_t	sense;
 	unsigned char	data_direction;
+	unsigned char	pad[3];
 	compat_int_t	quiet;
 	compat_int_t	timeout;
 	compat_caddr_t	reserved[1];