Received: by 10.192.165.148 with SMTP id m20csp1709851imm; Sat, 5 May 2018 20:22:35 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqH0Ir2/61U6JKeD10qdkciyPbnXvCpbV0aL1LMQE5/8EnIVfm8vL745S/V6INFvv7dEJvb X-Received: by 10.98.129.5 with SMTP id t5mr32070604pfd.215.1525576955768; Sat, 05 May 2018 20:22:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525576955; cv=none; d=google.com; s=arc-20160816; b=SRM5+njgYEdks0tcoaZgCqFpqteoG5xyt7ioqAf4Jz7G/zUchFT2YQtKyYJOcr6RXn nLndMVX+Up63FUw0x56MGGoml0ayqalxWKKGz62LvQ8yrddfp8WKv+/Gb9p2UhTT5jv3 PAyrQtkt4zZiACL0RiSmUy1X9TYA1DRQE55jqbu2guduJxAa338/KZbQpGTC9Z5rlpwB wsVl1Iulf+++a8aUz3RT2Vo9TZDxmpFne3IpUo9GNYs6RzNHmNQsruiacD7kImB+aABJ iYcrjUZrxMafahbDjKACvkONfnMG3Skrn1FWPh+9bcnNm1TH6pp4aMwc9GQFirTq+j80 N8+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=h67YipnS6VN3d8OnbuO8bqqaC9U4KOnGWIXodTmAqaM=; b=dVqsOXY3e6mPss5IC2Xl+anskDZb2HXjRjXgBtiPLbf4zlbTi1/USIuq+4W4yPKxZk r6r4FW/dDWbwrZVoy7fKazvlkEkfPp87VekTMQLV13KEUbQBWcrn17OLnFve2NqzKHk9 CnpUYvW+gj9YnuUSovihOnFgBXrqZFKRbgGGMT9OpVzut9Ri1BYZhiGialkIuQiK1Ndo aeqgu6l8QG6YGJx568WSu+2PuDJzEVqgglkN7DgoA0EQQZsWSf47/WdmrBI8zpj8Kd/l +Ddb4cs3ZekIrdCdZ5VQDRPTuU4h4r/tQDEruFngCa1Ra4ts4BMx1BJ8nNc6kLmxplao iigQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=nMkXLBdJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z13-v6si10160922pgv.514.2018.05.05.20.22.06; Sat, 05 May 2018 20:22:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=nMkXLBdJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751932AbeEFDWB (ORCPT + 99 others); Sat, 5 May 2018 23:22:01 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:42638 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751864AbeEFDV6 (ORCPT ); Sat, 5 May 2018 23:21:58 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 47EE8B3F for ; Sun, 6 May 2018 03:21:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b4y91n5F50mx for ; Sat, 5 May 2018 22:21:57 -0500 (CDT) Received: from mail-io0-f199.google.com (mail-io0-f199.google.com [209.85.223.199]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 01389B4E for ; Sat, 5 May 2018 22:21:45 -0500 (CDT) Received: by mail-io0-f199.google.com with SMTP id s12-v6so24095927ioc.20 for ; Sat, 05 May 2018 20:21:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=h67YipnS6VN3d8OnbuO8bqqaC9U4KOnGWIXodTmAqaM=; b=nMkXLBdJtLmMwkaKoWNzUEZ8gmVjefKEw97h7vE6hAjiTRPrrUarimIvbz/E7wrsXC s4PHSBe7iysJ2yQ8bH7sgq/lNreQI6s3sBqJA6jJE8qkeQ3VGU2BG6tTA5pu703jdDB5 MONF5A8pIpC6KBDso92EbM0tRfpmLxVilu9Qq1zoqPFJmcap/b+TaxZOAHjEaz2wjfLh 79vysojgvBsgwoqVJAPHqCkjQNibpcs/S6figGI1f7W4IJ8UDWEdx0z/JaLFnw2Gzo8D BhKKPx33JRD6916idjRse9DmyJVumT0Z/lX+1CHNWgBBDAU4UZ+6EyR2mPXDQjGvJG4a c0Yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=h67YipnS6VN3d8OnbuO8bqqaC9U4KOnGWIXodTmAqaM=; b=m/GIsU5yxJq8/OrSGOyTq1LQ61gK7vUU2R2ytVrXLo8yqQZt3D/3RhulgDo4Vu9lgm woyOuv75EB7AWwqeconRMCQG/nYOoCfiIC7RsMZi5G8V62hfKH9FeD1lfkzjnkhWMuPa C/RiBBkyGI9DharJLu+XlULQa+dxpDIZeoKwqkn6tdQm59PNqosXrJN66imfKJBdZG4J ji0wJYXAJBmdoZGxItMAihot1VaSXNjyjRJ0UwN0SEzX3EQh89T640SC+h1xBPAkOtOS 5gczdhpzKmetCQgD99JfiTQ2zn0daM/MrJFVOGKKg8u56AeSd/Uj3As1fhFzeOtLOtXo ejyQ== X-Gm-Message-State: ALQs6tCb6vbYUm8NwfCnfCJSdZp/lZKs1S6bZS6MauYmNnFgeOZW4o01 bINkJI9OYFcPisPaFSV4x+QP2qiWEwM+52aSEmB8OLRp8p9Na+pgKgNI0t0DVbrUOA32X+PRdcm Pzf8G+snsEoWHxpoVREoBPPxUmkBM X-Received: by 2002:a24:f546:: with SMTP id k67-v6mr35278156ith.82.1525576905432; Sat, 05 May 2018 20:21:45 -0700 (PDT) X-Received: by 2002:a24:f546:: with SMTP id k67-v6mr35278152ith.82.1525576905282; Sat, 05 May 2018 20:21:45 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id z8-v6sm2732961itc.34.2018.05.05.20.21.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 20:21:44 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Doug Gilbert , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org (open list:SCSI SG DRIVER), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] scsi: sg: fix a missing-check bug Date: Sat, 5 May 2018 22:21:34 -0500 Message-Id: <1525576895-15708-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In sg_write(), the opcode of the command is firstly copied from the userspace pointer 'buf' and saved to the kernel variable 'opcode', using the __get_user() function. The size of the command, i.e., 'cmd_size' is then calculated based on the 'opcode'. After that, the whole command, including the opcode, is copied again from 'buf' using the __copy_from_user() function and saved to 'cmnd'. Finally, the function sg_common_write() is invoked to process 'cmnd'. Given that the 'buf' pointer resides in userspace, a malicious userspace process can race to change the opcode of the command between the two copies. That means, the opcode indicated by the variable 'opcode' could be different from the opcode in 'cmnd'. This can cause inconsistent data in 'cmnd' and potential logical errors in the function sg_common_write(), as it needs to work on 'cmnd'. This patch reuses the opcode obtained in the first copy and only copies the remaining part of the command from userspace. Signed-off-by: Wenwen Wang --- drivers/scsi/sg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index c198b963..0ad8106 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -657,7 +657,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) hp->flags = input_size; /* structure abuse ... */ hp->pack_id = old_hdr.pack_id; hp->usr_ptr = NULL; - if (__copy_from_user(cmnd, buf, cmd_size)) + cmnd[0] = opcode; + if (__copy_from_user(cmnd + 1, buf + 1, cmd_size - 1)) return -EFAULT; /* * SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV, -- 2.7.4