scsi: stex: Properly zero out the passthrough command structure

commit 6022f210461fef67e6e676fd8544ca02d1bcfa7a upstream.

The passthrough structure is declared off of the stack, so it needs to be
set to zero before copied back to userspace to prevent any unintentional
data leakage.  Switch things to be statically allocated which will fill the
unused fields with 0 automatically.

Link: https://lore.kernel.org/r/YxrjN3OOw2HHl9tx@kroah.com
Cc: stable@kernel.org
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: hdthky <hdthky0@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/scsi/stex.c b/drivers/scsi/stex.c
index 5b23175a584cc68fc99c0d4f099bcba4c47f0702..23f90ca344ad32cfe9834e11191996cadafe2677 100644 (file)
--- a/drivers/scsi/stex.c
+++ b/drivers/scsi/stex.c
@@ -653,16 +653,17 @@ stex_queuecommand_lck(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *))
                return 0;
        case PASSTHRU_CMD:
                if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {
-                       struct st_drvver ver;
+                       const struct st_drvver ver = {
+                               .major = ST_VER_MAJOR,
+                               .minor = ST_VER_MINOR,
+                               .oem = ST_OEM,
+                               .build = ST_BUILD_VER,
+                               .signature[0] = PASSTHRU_SIGNATURE,
+                               .console_id = host->max_id - 1,
+                               .host_no = hba->host->host_no,
+                       };
                        size_t cp_len = sizeof(ver);
 
-                       ver.major = ST_VER_MAJOR;
-                       ver.minor = ST_VER_MINOR;
-                       ver.oem = ST_OEM;
-                       ver.build = ST_BUILD_VER;
-                       ver.signature[0] = PASSTHRU_SIGNATURE;
-                       ver.console_id = host->max_id - 1;
-                       ver.host_no = hba->host->host_no;
                        cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);
                        cmd->result = sizeof(ver) == cp_len ?
                                DID_OK << 16 | COMMAND_COMPLETE << 8 :

diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
index 9fc1aecfc81369b9cfc694bece77b9bdfde131e5..e7489fba2918b758a5f84a06d440786b8b238742 100644 (file)
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -214,7 +214,7 @@ static inline struct scsi_data_buffer *scsi_out(struct scsi_cmnd *cmd)
 }
 
 static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd,
-                                          void *buf, int buflen)
+                                          const void *buf, int buflen)
 {
        return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),
                                   buf, buflen);