ddbd89deb7
The problem I'm addressing was discovered by the LTP test covering
cve-2018-1000204.
A short description of what happens follows:
1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO
interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV
and a corresponding dxferp. The peculiar thing about this is that TUR
is not reading from the device.
2) In sg_start_req() the invocation of blk_rq_map_user() effectively
bounces the user-space buffer. As if the device was to transfer into
it. Since commit
|
||
---|---|---|
.. | ||
irq | ||
assoc_array.rst | ||
boot-time-mm.rst | ||
bus-virt-phys-mapping.rst | ||
cachetlb.rst | ||
circular-buffers.rst | ||
cpu_hotplug.rst | ||
debug-objects.rst | ||
debugging-via-ohci1394.rst | ||
dma-api-howto.rst | ||
dma-api.rst | ||
dma-attributes.rst | ||
dma-isa-lpc.rst | ||
errseq.rst | ||
genalloc.rst | ||
generic-radix-tree.rst | ||
genericirq.rst | ||
gfp_mask-from-fs-io.rst | ||
idr.rst | ||
index.rst | ||
kernel-api.rst | ||
kobject.rst | ||
kref.rst | ||
librs.rst | ||
local_ops.rst | ||
memory-allocation.rst | ||
memory-hotplug.rst | ||
mm-api.rst | ||
packing.rst | ||
padata.rst | ||
pin_user_pages.rst | ||
printk-basics.rst | ||
printk-formats.rst | ||
protection-keys.rst | ||
rbtree.rst | ||
refcount-vs-atomic.rst | ||
symbol-namespaces.rst | ||
this_cpu_ops.rst | ||
timekeeping.rst | ||
tracepoint.rst | ||
unaligned-memory-access.rst | ||
workqueue.rst | ||
xarray.rst |