scsi: stex: Properly zero out the passthrough command structure

commit 6022f210461fef67e6e676fd8544ca02d1bcfa7a upstream.

The passthrough structure is declared off of the stack, so it needs to be
set to zero before copied back to userspace to prevent any unintentional
data leakage.  Switch things to be statically allocated which will fill the
unused fields with 0 automatically.

Link: https://lore.kernel.org/r/YxrjN3OOw2HHl9tx@kroah.com
Cc: stable@kernel.org
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: hdthky <hdthky0@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/scsi/stex.c b/drivers/scsi/stex.c
index e6420f2127ce1c4eb9725b8f7711893ccb06ab1f..8def242675ef3fa515fbaf850969598c5ea86692 100644 (file)
--- a/drivers/scsi/stex.c
+++ b/drivers/scsi/stex.c
@@ -665,16 +665,17 @@ static int stex_queuecommand_lck(struct scsi_cmnd *cmd)
                return 0;
        case PASSTHRU_CMD:
                if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {
-                       struct st_drvver ver;
+                       const struct st_drvver ver = {
+                               .major = ST_VER_MAJOR,
+                               .minor = ST_VER_MINOR,
+                               .oem = ST_OEM,
+                               .build = ST_BUILD_VER,
+                               .signature[0] = PASSTHRU_SIGNATURE,
+                               .console_id = host->max_id - 1,
+                               .host_no = hba->host->host_no,
+                       };
                        size_t cp_len = sizeof(ver);
 
-                       ver.major = ST_VER_MAJOR;
-                       ver.minor = ST_VER_MINOR;
-                       ver.oem = ST_OEM;
-                       ver.build = ST_BUILD_VER;
-                       ver.signature[0] = PASSTHRU_SIGNATURE;
-                       ver.console_id = host->max_id - 1;
-                       ver.host_no = hba->host->host_no;
                        cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);
                        if (sizeof(ver) == cp_len)
                                cmd->result = DID_OK << 16;

diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
index 1e80e70dfa9276c30b23c37621f57a5fe7b56db9..5ce1aac64edd1a105b642c419f1a1d05824656c5 100644 (file)
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -201,7 +201,7 @@ static inline unsigned int scsi_get_resid(struct scsi_cmnd *cmd)
        for_each_sg(scsi_sglist(cmd), sg, nseg, __i)
 
 static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd,
-                                          void *buf, int buflen)
+                                          const void *buf, int buflen)
 {
        return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),
                                   buf, buflen);