Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.9.y 2024-07-25T07:53:19Z 2024-07-25T07:53:19Z Justin Stitt justinstitt@google.com 2024-05-08T17:22:51Z urn:sha1:d1297c83bc7322f604fc31158efbecd298a89a8d [ Upstream commit 9fad9d560af5c654bb38e0b07ee54a4e9acdc5cd ] Running syzkaller with the newly reintroduced signed integer overflow sanitizer produces this report: [ 65.194362] ------------[ cut here ]------------ [ 65.197752] UBSAN: signed-integer-overflow in ../drivers/scsi/sr_ioctl.c:436:9 [ 65.203607] -2147483648 * 177 cannot be represented in type 'int' [ 65.207911] CPU: 2 PID: 10416 Comm: syz-executor.1 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 [ 65.213585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 65.219923] Call Trace: [ 65.221556] <TASK> [ 65.223029] dump_stack_lvl+0x93/0xd0 [ 65.225573] handle_overflow+0x171/0x1b0 [ 65.228219] sr_select_speed+0xeb/0xf0 [ 65.230786] ? __pm_runtime_resume+0xe6/0x130 [ 65.233606] sr_block_ioctl+0x15d/0x1d0 ... Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang. It was re-enabled in the kernel with Commit 557f8c582a9b ("ubsan: Reintroduce signed overflow sanitizer"). Firstly, let's change the type of "speed" to unsigned long as sr_select_speed()'s only caller passes in an unsigned long anyways. $ git grep '\.select_speed' | drivers/scsi/sr.c: .select_speed = sr_select_speed, ... | static int cdrom_ioctl_select_speed(struct cdrom_device_info *cdi, | unsigned long arg) | { | ... | return cdi->ops->select_speed(cdi, arg); | } Next, let's add an extra check to make sure we don't exceed 0xffff/177 (350) since 0xffff is the max speed. This has two benefits: 1) we deal with integer overflow before it happens and 2) we properly respect the max speed of 0xffff. There are some "magic" numbers here but I did not want to change more than what was necessary. Link: https://github.com/llvm/llvm-project/pull/82432 [1] Closes: https://github.com/KSPP/linux/issues/357 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> Link: https://lore.kernel.org/r/20240508-b4-b4-sio-sr_select_speed-v2-1-00b68f724290@google.com Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-01-14T02:34:09Z Mike Christie michael.christie@oracle.com 2022-12-29T19:01:50Z urn:sha1:49d33b6245d91a2ca20755cd4edf86dd0e49649e scsi_execute*() is going to be removed. Convert sr to scsi_execute_cmd(). Signed-off-by: Mike Christie <michael.christie@oracle.com> Reviewed-by: John Garry <john.g.garry@oracle.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2022-04-19T02:48:31Z Tom Rix trix@redhat.com 2022-04-11T17:47:56Z urn:sha1:faad6cebded8e0fd902b672f220449b93db479eb sr_ioctl.c uses this pattern: result = sr_do_ioctl(cd, &cgc); to-user = buffer[]; kfree(buffer); return result; Use of a buffer without checking leaks information. Check result and jump over the use of buffer if there is an error. result = sr_do_ioctl(cd, &cgc); if (result) goto err; to-user = buffer[]; err: kfree(buffer); return result; Additionally, initialize the buffer to zero. This problem can be seen in the 2.4.0 kernel. Link: https://lore.kernel.org/r/20220411174756.2418435-1-trix@redhat.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Tom Rix <trix@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2021-09-14T02:15:49Z Colin Ian King colin.king@canonical.com 2021-08-26T11:57:14Z urn:sha1:e699a4e1d37314eb842ba9de19a7ccee7f75da10 There is a spelling mistake in a literal string. Fix it. Link: https://lore.kernel.org/r/20210826115714.11844-1-colin.king@canonical.com Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2021-06-01T03:59:18Z Hannes Reinecke hare@suse.de 2021-04-27T08:30:46Z urn:sha1:3d45cefc8edd7f560e6c97a8d9928ad571f76dec Originally the SCSI subsystem has been using 'special' SCSI status codes, which were the SAM-specified ones but shifted by 1. As most drivers have now been modified to use the SAM-specified ones, having two nearly identical sets of definitions only causes confusion. The Linux-specifed SCSI status codes have been marked obsolete for several years so drop them and use the SAM-specified status codes throughout. Link: https://lore.kernel.org/r/20210427083046.31620-41-hare@suse.de Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2021-06-01T02:48:22Z Hannes Reinecke hare@suse.com 2021-04-27T08:30:20Z urn:sha1:54c29086195fd72b6a290ef367e71f73fa657b1f The driver_byte field in the result is now unused, so we can drop the definitions. Link: https://lore.kernel.org/r/20210427083046.31620-15-hare@suse.de Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2021-06-01T02:48:21Z Hannes Reinecke hare@suse.de 2021-04-27T08:30:12Z urn:sha1:ced202f7bd78eb6a79c441a8b217e0f3d38bccfc Return the actual error code in __scsi_execute() (which, according to the documentation, should have happened anyway). And audit all callers to cope with negative return values from __scsi_execute() and friends. [mkp: resolve conflict and return bool] Link: https://lore.kernel.org/r/20210427083046.31620-7-hare@suse.de Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2021-04-06T15:28:17Z Christoph Hellwig hch@lst.de 2021-03-31T07:29:58Z urn:sha1:aaff5ebaa2694f283b7d07fdd55fb287ffc4f1e9 Remove the unchecked_isa_dma now that all users are gone. Signed-off-by: Christoph Hellwig <hch@lst.de> Acked-by: Martin K. Petersen <martin.petersen@oracle.com> Reviewed-by: Hannes Reinecke <hare@suse.de> Link: https://lore.kernel.org/r/20210331073001.46776-6-hch@lst.de Signed-off-by: Jens Axboe <axboe@kernel.dk> 2020-12-12T18:12:25Z Sebastian Andrzej Siewior bigeasy@linutronix.de 2020-12-04T16:48:49Z urn:sha1:8d2ac857a81d5a44b9643038291ea958bbf05c7f sr_read_sector() is hardly used since v2.3.16. Its only purpose is to check if it is a XA medium via sr_is_xa(). This check is only enabled if the module parameter `xa_test' is enabled. Change the sector size back to 2048 if it was changed. With this change, there is no lazy sector size changing left. Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2018-08-02T21:22:13Z Kees Cook keescook@chromium.org 2018-08-02T21:22:13Z urn:sha1:e7d0748dd71695b94f3a35c8bdc05226a7f3d919 There is a lot of needless struct request_sense usage in the CDROM code. These can all be struct scsi_sense_hdr instead, to avoid any confusion over their respective structure sizes. This patch is a lot of noise changing "sense" to "sshdr", but the final code is more readable to distinguish between "sense" meaning "struct request_sense" and "sshdr" meaning "struct scsi_sense_hdr". Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jens Axboe <axboe@kernel.dk>