Message ID | 1523979202-61407-1-git-send-email-bryantly@linux.vnet.ibm.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Bryant, > The bug exists in the memcmp in which the length passed in must be > guaranteed to be 1. This bug currently exists because the second > pointer passed in, can be smaller than the cmd->data_length, which > causes a fortify_panic. > > The fix is to use memchr_inv instead to find whether or not a 0 exists > instead of using memcmp. This way you dont have to worry about buffer > overflow which is the reason for the fortify_panic. Clarified the commit description a bit and applied the patch 4.17/scsi-fixes. Thanks!
diff --git a/drivers/target/target_core_iblock.c b/drivers/target/target_core_iblock.c index 07c814c..6042901 100644 --- a/drivers/target/target_core_iblock.c +++ b/drivers/target/target_core_iblock.c @@ -427,8 +427,8 @@ iblock_execute_zero_out(struct block_device *bdev, struct se_cmd *cmd) { struct se_device *dev = cmd->se_dev; struct scatterlist *sg = &cmd->t_data_sg[0]; - unsigned char *buf, zero = 0x00, *p = &zero; - int rc, ret; + unsigned char *buf, *not_zero; + int ret; buf = kmap(sg_page(sg)) + sg->offset; if (!buf) @@ -437,10 +437,10 @@ iblock_execute_zero_out(struct block_device *bdev, struct se_cmd *cmd) * Fall back to block_execute_write_same() slow-path if * incoming WRITE_SAME payload does not contain zeros. */ - rc = memcmp(buf, p, cmd->data_length); + not_zero = memchr_inv(buf, 0x00, cmd->data_length); kunmap(sg_page(sg)); - if (rc) + if (not_zero) return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; ret = blkdev_issue_zeroout(bdev,