2018-10-06 18:35:03

by Wenwen Wang

[permalink] [raw]
Subject: [PATCH] scsi: megaraid_sas: fix a missing-check bug

In megasas_mgmt_compat_ioctl_fw(), to handle the structure
compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the
packet. Since the two data structures have different fields, the data is
copied from 'cioc' to 'ioc' field by field. In the copy process,
'sense_ptr' is prepared if the field 'sense_len' is not null, because it
will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved
to kernel-space variables 'local_sense_off' and 'user_sense_off'
respectively. Given that 'ioc->sense_off' is also copied from
'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
same value. However, 'cioc' is in the user space and a malicious user can
race to change the value of 'cioc->sense_off' after it is copied to
'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so,
the attacker can inject different values into 'local_sense_off' and
'user_sense_off'. This can cause undefined behavior in the following
execution, because the two variables are supposed to be same.

This patch enforces a check on the two kernel variables 'local_sense_off'
and 'user_sense_off' to make sure they are the same after the copy. In case
they are not, an error code EINVAL will be returned.

Signed-off-by: Wenwen Wang <[email protected]>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 9aa9590..f6de752 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -7523,6 +7523,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
get_user(user_sense_off, &cioc->sense_off))
return -EFAULT;

+ if (local_sense_off != user_sense_off)
+ return -EINVAL;
+
if (local_sense_len) {
void __user **sense_ioc_ptr =
(void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off);
--
2.7.4



2018-10-16 03:44:08

by Martin K. Petersen

[permalink] [raw]
Subject: Re: [PATCH] scsi: megaraid_sas: fix a missing-check bug


Wenwen,

> In megasas_mgmt_compat_ioctl_fw(), to handle the structure
> compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
> 'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the
> packet. Since the two data structures have different fields, the data is
> copied from 'cioc' to 'ioc' field by field. In the copy process,
> 'sense_ptr' is prepared if the field 'sense_len' is not null, because it
> will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
> user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved
> to kernel-space variables 'local_sense_off' and 'user_sense_off'
> respectively. Given that 'ioc->sense_off' is also copied from
> 'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
> same value. However, 'cioc' is in the user space and a malicious user can
> race to change the value of 'cioc->sense_off' after it is copied to
> 'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so,
> the attacker can inject different values into 'local_sense_off' and
> 'user_sense_off'. This can cause undefined behavior in the following
> execution, because the two variables are supposed to be same.
>
> This patch enforces a check on the two kernel variables 'local_sense_off'
> and 'user_sense_off' to make sure they are the same after the copy. In case
> they are not, an error code EINVAL will be returned.

Broadcom folks: Please review!

--
Martin K. Petersen Oracle Linux Engineering

2018-10-16 11:57:53

by Sumit Saxena

[permalink] [raw]
Subject: Re: [PATCH] scsi: megaraid_sas: fix a missing-check bug

On Sun, Oct 7, 2018 at 12:04 AM Wenwen Wang <[email protected]> wrote:
>
> In megasas_mgmt_compat_ioctl_fw(), to handle the structure
> compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
> 'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the
> packet. Since the two data structures have different fields, the data is
> copied from 'cioc' to 'ioc' field by field. In the copy process,
> 'sense_ptr' is prepared if the field 'sense_len' is not null, because it
> will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
> user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved
> to kernel-space variables 'local_sense_off' and 'user_sense_off'
> respectively. Given that 'ioc->sense_off' is also copied from
> 'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
> same value. However, 'cioc' is in the user space and a malicious user can
> race to change the value of 'cioc->sense_off' after it is copied to
> 'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so,
> the attacker can inject different values into 'local_sense_off' and
> 'user_sense_off'. This can cause undefined behavior in the following
> execution, because the two variables are supposed to be same.
>
> This patch enforces a check on the two kernel variables 'local_sense_off'
> and 'user_sense_off' to make sure they are the same after the copy. In case
> they are not, an error code EINVAL will be returned.
>
> Signed-off-by: Wenwen Wang <[email protected]>
> ---
> drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
> index 9aa9590..f6de752 100644
> --- a/drivers/scsi/megaraid/megaraid_sas_base.c
> +++ b/drivers/scsi/megaraid/megaraid_sas_base.c
> @@ -7523,6 +7523,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
> get_user(user_sense_off, &cioc->sense_off))
> return -EFAULT;
>
> + if (local_sense_off != user_sense_off)
> + return -EINVAL;
> +
> if (local_sense_len) {
> void __user **sense_ioc_ptr =
> (void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off);

Acked-by: Sumit Saxena <[email protected]>

> --
> 2.7.4
>

2018-10-16 21:57:49

by Martin K. Petersen

[permalink] [raw]
Subject: Re: [PATCH] scsi: megaraid_sas: fix a missing-check bug


Wenwen,

> This patch enforces a check on the two kernel variables 'local_sense_off'
> and 'user_sense_off' to make sure they are the same after the copy. In case
> they are not, an error code EINVAL will be returned.

Applied to 4.20/scsi-queue, thank you!

--
Martin K. Petersen Oracle Linux Engineering