From patchwork Tue Jul 31 19:51:54 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10551265
Return-Path: <target-devel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CD321157D
	for <patchwork-target-devel@patchwork.kernel.org>;
 Tue, 31 Jul 2018 19:52:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BC8022B4E0
	for <patchwork-target-devel@patchwork.kernel.org>;
 Tue, 31 Jul 2018 19:52:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B0AE72B49D; Tue, 31 Jul 2018 19:52:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 45A112B30E
	for <patchwork-target-devel@patchwork.kernel.org>;
 Tue, 31 Jul 2018 19:52:24 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732600AbeGaVeI (ORCPT
        <rfc822;patchwork-target-devel@patchwork.kernel.org>);
        Tue, 31 Jul 2018 17:34:08 -0400
Received: from mail-pf1-f193.google.com ([209.85.210.193]:46602 "EHLO
        mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732581AbeGaVeF (ORCPT
        <rfc822;target-devel@vger.kernel.org>);
        Tue, 31 Jul 2018 17:34:05 -0400
Received: by mail-pf1-f193.google.com with SMTP id u24-v6so6599064pfn.13
        for <target-devel@vger.kernel.org>;
 Tue, 31 Jul 2018 12:52:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=BDfKI6awLThB24p2Q6R3Fe6OMkgYvDzj00pebpvR4as=;
        b=Cit+LAf7T7XkvnyANuIoiBjF9q1tjsLa6AtTpZ7XVesA8Jn++uBPLSWtEpE4I/xLi/
         TCUGbtU1z+qwgfAGeYJIrkHbgXkZQ9OakNvLWMRcwq9uv7GyXs9qR6b0g8CTWty+o7K3
         sKHVp1Hx1rOWAwRNsOSEI7j13Zqw8a/aEpsBY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=BDfKI6awLThB24p2Q6R3Fe6OMkgYvDzj00pebpvR4as=;
        b=M+xBzrAEMT+Ur31bWCDk58DnzKYCReM7vwvkuleraHW4HxtwUFrGGfMXdH95xLTZSb
         sifPeEmJQl9vaXdi4FhkMy996+8aMKkIuJZEXL+BvXXs1KO+740duvw4M8aWLT4DujVy
         I75qqhRECMILebLP2zFWHSHskUwJP4VfsNbtmQvwmYCvkhRtdxTch2FwdUu+yzGC4aTL
         bLOV3sAZO8RNh+HFX6oGAaxz9sXS1KW/cvUPyCv6bpkU6DkAfgoQoS79To08rxjE9yLu
         utAa/uLmYeLrFG9GTunz+ASSIZ9Xf6jX+UUV8Mj+oV9Qn8GqJGrfaY6lHZEu4MviJC+i
         Z4CA==
X-Gm-Message-State: AOUpUlG0eTIlJVlNpwGm01/f0tY7LHafp00o2OqBfZ6/BJAmxCCtrhXa
        Kkq5RMLyXzXINblteKTBlumZhg==
X-Google-Smtp-Source: 
 AAOMgpe2zhSpA3DJdgGE7RghbpvSpIBCKJKihNhsZaiZF9Fwuqmx0TuQVBmAIM3apMrT1N0dxHLLYg==
X-Received: by 2002:a63:b02:: with SMTP id
 2-v6mr21042647pgl.301.1533066732186;
        Tue, 31 Jul 2018 12:52:12 -0700 (PDT)
Received: from www.outflux.net
 (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
        by smtp.gmail.com with ESMTPSA id
 k64-v6sm20423196pgd.47.2018.07.31.12.52.07
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 31 Jul 2018 12:52:07 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Jens Axboe <axboe@kernel.dk>
Cc: Kees Cook <keescook@chromium.org>, Christoph Hellwig <hch@infradead.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>, Tejun Heo <tj@kernel.org>,
 Borislav Petkov <bp@alien8.de>, "David S. Miller" <davem@davemloft.net>,
 "Manoj N. Kumar" <manoj@linux.vnet.ibm.com>,
 "Matthew R. Ochs" <mrochs@linux.vnet.ibm.com>,
 Uma Krishnan <ukrishn@linux.vnet.ibm.com>,
 "Nicholas A. Bellinger" <nab@linux-iscsi.org>,
 Thomas Gleixner <tglx@linutronix.de>,
 Philippe Ombredanne <pombredanne@nexb.com>,
 Stephen Boyd <sboyd@codeaurora.org>,
 Cyrille Pitchen <cyrille.pitchen@free-electrons.com>,
 Juergen Gross <jgross@suse.com>, Viresh Kumar <viresh.kumar@linaro.org>,
	=?utf-8?q?Uwe_Kleine-K=C3=B6nig?=  <u.kleine-koenig@pengutronix.de>,
 Sagar Dharia <sdharia@codeaurora.org>, Randy Dunlap <rdunlap@infradead.org>,
 Vinod Koul <vinod.koul@intel.com>,
 David Kershner <david.kershner@unisys.com>, linux-block@vger.kernel.org,
 linux-ide@vger.kernel.org, linux-scsi@vger.kernel.org,
 target-devel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2 9/9] scsi: Check sense buffer size at build time
Date: Tue, 31 Jul 2018 12:51:54 -0700
Message-Id: <20180731195155.46664-10-keescook@chromium.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180731195155.46664-1-keescook@chromium.org>
References: <20180731195155.46664-1-keescook@chromium.org>
Sender: target-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <target-devel.vger.kernel.org>
X-Mailing-List: target-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

To avoid introducing problems like those fixed in commit f7068114d45e
("sr: pass down correctly sized SCSI sense buffer"), this creates a macro
wrapper for scsi_execute() that verifies the size of the sense buffer
similar to what was done for command string sizes in commit 3756f6401c30
("exec: avoid gcc-8 warning for get_task_comm").

Another solution could be to add a length argument to scsi_execute(),
but this function already takes a lot of arguments and Jens was not fond
of that approach.

Additionally, this moves the SCSI_SENSE_BUFFERSIZE definition into
scsi_device.h, and removes a redundant include for scsi_device.h from
scsi_cmnd.h.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
---
 drivers/scsi/scsi_lib.c    |  6 +++---
 include/scsi/scsi_cmnd.h   |  6 ++----
 include/scsi/scsi_device.h | 14 +++++++++++++-
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index e9b4f279d29c..718c2bec4516 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -238,7 +238,7 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason)
 
 
 /**
- * scsi_execute - insert request and wait for the result
+ * __scsi_execute - insert request and wait for the result
  * @sdev:	scsi device
  * @cmd:	scsi command
  * @data_direction: data direction
@@ -255,7 +255,7 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason)
  * Returns the scsi_cmnd result field if a command was executed, or a negative
  * Linux error code if we didn't get that far.
  */
-int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
+int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
 		 int data_direction, void *buffer, unsigned bufflen,
 		 unsigned char *sense, struct scsi_sense_hdr *sshdr,
 		 int timeout, int retries, u64 flags, req_flags_t rq_flags,
@@ -309,7 +309,7 @@ int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
 
 	return ret;
 }
-EXPORT_SYMBOL(scsi_execute);
+EXPORT_SYMBOL(__scsi_execute);
 
 /*
  * Function:    scsi_init_cmd_errh()
diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
index aaf1e971c6a3..7bf043a66e10 100644
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -14,8 +14,6 @@
 struct Scsi_Host;
 struct scsi_driver;
 
-#include <scsi/scsi_device.h>
-
 /*
  * MAX_COMMAND_SIZE is:
  * The longest fixed-length SCSI CDB as per the SCSI standard.
@@ -120,11 +118,11 @@ struct scsi_cmnd {
 	struct request *request;	/* The command we are
 				   	   working on */
 
-#define SCSI_SENSE_BUFFERSIZE 	96
 	unsigned char *sense_buffer;
 				/* obtained by REQUEST SENSE when
 				 * CHECK CONDITION is received on original
-				 * command (auto-sense) */
+				 * command (auto-sense). Length must be
+				 * SCSI_SENSE_BUFFERSIZE bytes. */
 
 	/* Low-level done function - can be used by low-level driver to point
 	 *        to completion function.  Not used by mid/upper level code. */
diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
index 7ae177c8e399..96b626ad5fb1 100644
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -17,6 +17,8 @@ struct scsi_sense_hdr;
 
 typedef unsigned int __bitwise blist_flags_t;
 
+#define SCSI_SENSE_BUFFERSIZE	96
+
 struct scsi_mode_data {
 	__u32	length;
 	__u16	block_descriptor_length;
@@ -426,11 +428,21 @@ extern const char *scsi_device_state_name(enum scsi_device_state);
 extern int scsi_is_sdev_device(const struct device *);
 extern int scsi_is_target_device(const struct device *);
 extern void scsi_sanitize_inquiry_string(unsigned char *s, int len);
-extern int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
+extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
 			int data_direction, void *buffer, unsigned bufflen,
 			unsigned char *sense, struct scsi_sense_hdr *sshdr,
 			int timeout, int retries, u64 flags,
 			req_flags_t rq_flags, int *resid);
+/* Make sure any sense buffer is the correct size. */
+#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense,	\
+		     sshdr, timeout, retries, flags, rq_flags, resid)	\
+({									\
+	BUILD_BUG_ON((sense) != NULL &&					\
+		     sizeof(sense) != SCSI_SENSE_BUFFERSIZE);		\
+	__scsi_execute(sdev, cmd, data_direction, buffer, bufflen,	\
+		       sense, sshdr, timeout, retries, flags, rq_flags,	\
+		       resid);						\
+})
 static inline int scsi_execute_req(struct scsi_device *sdev,
 	const unsigned char *cmd, int data_direction, void *buffer,
 	unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout,