From patchwork Tue May 22 18:15:12 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10419331
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B62736053B for <patchwork-linux-scsi@patchwork.kernel.org>;
	Tue, 22 May 2018 18:16:03 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A7C9E28396
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Tue, 22 May 2018 18:16:03 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9C36628FBC; Tue, 22 May 2018 18:16:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0F8F928396
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Tue, 22 May 2018 18:16:03 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751733AbeEVSPf (ORCPT
	<rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
	Tue, 22 May 2018 14:15:35 -0400
Received: from mail-pl0-f65.google.com ([209.85.160.65]:36784 "EHLO
	mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751655AbeEVSP0 (ORCPT
	<rfc822; linux-scsi@vger.kernel.org>); Tue, 22 May 2018 14:15:26 -0400
Received: by mail-pl0-f65.google.com with SMTP id v24-v6so11379496plo.3
	for <linux-scsi@vger.kernel.org>;
	Tue, 22 May 2018 11:15:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=lJag4coE7iCMp1DSMdlDISOHos375cWKPRK28tZ9c1M=;
	b=NEFD8WBO4MuZhhOynI62Lb8ZEw3BuqXwLOBhr1TuEoGwq2EK8Od3yrxba/qZpmnkoP
	FZhqpfyjdsW+lXUmHQIK5ibr2Mr5dLuuCR7gxpqGbOpmgI3d8uvXv6hDJxjzrl6fTFUN
	IMDdjohQFgraZlUrbwMYkVzrmzRXVt/hVPA70=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=lJag4coE7iCMp1DSMdlDISOHos375cWKPRK28tZ9c1M=;
	b=lFg5nu4v27GgCCXm6Xhzjqkglx8qUS1WUcK9e2ZSReZYH1QMpFTjOtEmESh+L7v2s2
	mZHqZulUqT1PNwWKA1GH3KY2+NUByTa0ne38l6AYq1B9u8KAy5ZcWIEWoxcbWu/nBn1a
	epVy8gkekV/jcyUadGKvORD3GIIur8/gA9XzSVXZ9IRFl330xkKe4HW2zCYcstI0YsTc
	MPD3AEvX1tybT4epMp4WjHMyK7Ky9fGTP8oOE6Yh/1CW/ngIWzblhA5ZvvYoeZGtAKs1
	Te/ZXFnjzMajQOmlfRI3U9Zr/HoMT9nratXq+YV440s7nN0++N0oMh6RxOWepNj3BPZ/
	8dgg==
X-Gm-Message-State: ALKqPwdxVWafzqvMPX6649aFfC5hpHy666bsUySaF1Nhb6Xvl+oDKLt3
	3i03r3/gZcq3ufB+eey4CNv4MQ==
X-Google-Smtp-Source: 
 AB8JxZr1j04qCgHCPIUM2OkKt1aXqxhgJgOZ5hMlbyMqs1/xj90UuS8ceAvwH/tA8x1vfKPDHMLpsg==
X-Received: by 2002:a17:902:7582:: with SMTP id
	j2-v6mr25715717pll.65.1527012926312;
	Tue, 22 May 2018 11:15:26 -0700 (PDT)
Received: from www.outflux.net
	(173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
	by smtp.gmail.com with ESMTPSA id
	w134-v6sm28934638pfd.187.2018.05.22.11.15.21
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Tue, 22 May 2018 11:15:24 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Jens Axboe <axboe@kernel.dk>
Cc: Kees Cook <keescook@chromium.org>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	Tejun Heo <tj@kernel.org>, Borislav Petkov <bp@alien8.de>,
	"David S. Miller" <davem@davemloft.net>,
	"Manoj N. Kumar" <manoj@linux.vnet.ibm.com>,
	"Matthew R. Ochs" <mrochs@linux.vnet.ibm.com>,
	Uma Krishnan <ukrishn@linux.vnet.ibm.com>,
	linux-block@vger.kernel.org, linux-ide@vger.kernel.org,
	linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 6/6] scsi: Check sense buffer size at build time
Date: Tue, 22 May 2018 11:15:12 -0700
Message-Id: <20180522181512.39316-7-keescook@chromium.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180522181512.39316-1-keescook@chromium.org>
References: <20180522181512.39316-1-keescook@chromium.org>
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

To avoid introducing problems like those fixed in commit f7068114d45e
("sr: pass down correctly sized SCSI sense buffer"), this creates a macro
wrapper for scsi_execute() that verifies the size of the sense buffer
similar to what was done for command string sizes in commit 3756f6401c30
("exec: avoid gcc-8 warning for get_task_comm").

Another solution could be to add another argument to scsi_execute(),
but this function already takes a lot of arguments and Jens was not fond
of that approach. As there was only a pair of dynamically allocated sense
buffers, this also moves those 96 bytes onto the stack to avoid triggering
the sizeof() check.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/scsi/scsi_lib.c    |  6 +++---
 include/scsi/scsi_device.h | 12 +++++++++++-
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index e9b4f279d29c..718c2bec4516 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -238,7 +238,7 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason)
 
 
 /**
- * scsi_execute - insert request and wait for the result
+ * __scsi_execute - insert request and wait for the result
  * @sdev:	scsi device
  * @cmd:	scsi command
  * @data_direction: data direction
@@ -255,7 +255,7 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason)
  * Returns the scsi_cmnd result field if a command was executed, or a negative
  * Linux error code if we didn't get that far.
  */
-int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
+int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
 		 int data_direction, void *buffer, unsigned bufflen,
 		 unsigned char *sense, struct scsi_sense_hdr *sshdr,
 		 int timeout, int retries, u64 flags, req_flags_t rq_flags,
@@ -309,7 +309,7 @@ int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
 
 	return ret;
 }
-EXPORT_SYMBOL(scsi_execute);
+EXPORT_SYMBOL(__scsi_execute);
 
 /*
  * Function:    scsi_init_cmd_errh()
diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
index 7ae177c8e399..1bb87b6c0ad2 100644
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -426,11 +426,21 @@ extern const char *scsi_device_state_name(enum scsi_device_state);
 extern int scsi_is_sdev_device(const struct device *);
 extern int scsi_is_target_device(const struct device *);
 extern void scsi_sanitize_inquiry_string(unsigned char *s, int len);
-extern int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
+extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
 			int data_direction, void *buffer, unsigned bufflen,
 			unsigned char *sense, struct scsi_sense_hdr *sshdr,
 			int timeout, int retries, u64 flags,
 			req_flags_t rq_flags, int *resid);
+/* Make sure any sense buffer is the correct size. */
+#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense,	\
+		     sshdr, timeout, retries, flags, rq_flags, resid)	\
+({									\
+	BUILD_BUG_ON((sense) != NULL &&					\
+		     sizeof(sense) != SCSI_SENSE_BUFFERSIZE);		\
+	__scsi_execute(sdev, cmd, data_direction, buffer, bufflen,	\
+		       sense, sshdr, timeout, retries, flags, rq_flags,	\
+		       resid);						\
+})
 static inline int scsi_execute_req(struct scsi_device *sdev,
 	const unsigned char *cmd, int data_direction, void *buffer,
 	unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout,