Received: by 10.192.165.148 with SMTP id m20csp1721103imm; Sat, 5 May 2018 20:45:47 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq3IQvEQnP8yqA3iINQZ6NHk6LTSuta1HQZaBbdP2ylLX6+QBa0/9bfuCVhQayKaa7x4ryA X-Received: by 2002:a17:902:bb92:: with SMTP id m18-v6mr4165262pls.46.1525578347746; Sat, 05 May 2018 20:45:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525578347; cv=none; d=google.com; s=arc-20160816; b=QYdgW0leSs54GCY8TZTO8i7DdkIVO2BCbKMCF2TKUK2vkb0If2a5HIUNgZna/7MW3I K84/FahMhASyPCKp3hAAbGAQb5IqRlYTn07Nd740GeiUyIie0rG4sodx69a1DkCtnpj4 /WAd6KRkHQdSTaZRlmQA6foKtAiddA+Md7qW3dLx5iYBiZJJrw0ziFmxKbdwztu2Oy+t AuA5GtDxpDGNnBU8Zs7fDhbrYzM7ryDYHN31MlZ7rYFItBed9yzRjJsJhEP40rB5+/Ke 1RLaCG0fkGsUty3aQkNGlrlGqhJZ4X7UucuLSs6r9WnVpHEG6745HFvB9kTPqD8+GiS7 wO6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=40svp93M+eXNchtj2ZxIuPc+pSZXzUPdub9p5YcV1ks=; b=M9jH1hjxhoMI8fiGMMYcz9MtPHwrS/4QcXd5HWO93SmpdcYJa4jPDOZEkZE0UCu9vb D1p+e6O24AqYQFuGBQ8+7uE8QoLVUa3qxi1vqFNQVXa3lC4VUcgA63ajKRoXlL0UqJ1k P544Qg8yTks6w0Trmnhk+DXhx0F+pvk80oCgHK14ei2jPVFFIqdN8SOWYsnpfMuQh5K2 lW9AWvvxmTYCVrXFklK2Xr36XWEyZsvv++18WQ/57J1ja9RtXJ221AiR3/Mo/kQ+oygC T8hZCDgn4DKLdmsEsHR8NllOEqe/5TSzI9w0Gg9Hr/WW3bxBE1grQrf37bXfU3hVaSF7 qiMA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=SmTPDadl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bh1-v6si13503174plb.481.2018.05.05.20.45.33; Sat, 05 May 2018 20:45:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=SmTPDadl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751989AbeEFDoP (ORCPT + 99 others); Sat, 5 May 2018 23:44:15 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:57614 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751881AbeEFDoM (ORCPT ); Sat, 5 May 2018 23:44:12 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 959D2B2A for ; Sun, 6 May 2018 03:44:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFWwPLYU9-B2 for ; Sat, 5 May 2018 22:44:11 -0500 (CDT) Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 65B79797 for ; Sat, 5 May 2018 22:44:11 -0500 (CDT) Received: by mail-io0-f198.google.com with SMTP id w18-v6so24201725ioe.3 for ; Sat, 05 May 2018 20:44:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=40svp93M+eXNchtj2ZxIuPc+pSZXzUPdub9p5YcV1ks=; b=SmTPDadlxfnfXrDKOTo/BC71uVTVRG9TBKeUIImfQRiPSpoqxGLRZ+4pBe9CoiQGsK RgRk95FWJMUcBio3gf6PGAphamIvuRCbcg4QJfGWt3kUDFZY8bJkH8W4ZirjuWv5w6+w vqaLJnrZtTge1PGMKRsPnadyZa0vrmB8tBsjsxqOB+qbuYiWQoCjxIVulR4vnQS8p8hY oxjXu43NZAjRSs1iYXykgBwClcjOE7ZNejgDQtZng8oDAXU7ddecqu9Bi3Nji3TvJKAW QbNTGisu2rIHSi4wvwX+toc20O+HUK2/9M5+7UPcnCH5Ti6J7c+NbBpjjkAxeqLGpcBH 5GxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=40svp93M+eXNchtj2ZxIuPc+pSZXzUPdub9p5YcV1ks=; b=ca+PMRvjJ7OPt6MgTcJr2PV+E+1BgKWzDpAU5ByAYltLN5IvCdmy5NCoC2vNddMm12 CF+Zqd++5eTfQAa+97Hrxm4f8ZsGi/I2oMJhtFBOXi5NGo/bXWBxS/yVJo8PIHWuZp7J 9I6CVhnW+kb9VmoO/eMM1n5Zt1Is3gMBjrMLBF9kvjiL8GQ6Q7v1cxAAWSi2HunfoxDC PIjaX37YCP6wfSjJ09TO/u/SfJ24EZ5itutop22wgSEvjJ+QbaunRPwEQw85HZ863agL hP68MFlOjzfQFgyGabYkm5bmepDo2Ix/r/44HZoUhmOyPhIImFmPTtVUFO0SsaG2kKCt mIZA== X-Gm-Message-State: ALQs6tDBHowHECfO9GxTxdC6bVRb6b2V6HDS673ViJC+IQ8n2B3J5Uac uGwZFP6RhP/lZxGd30lKyGGVsopmDDaXZ/JMDkNGrHxeJOhosFD0X18VA5g2qyalceQIUtSwd2K WazTSf3+BuRYhd4Lnlvnlb2AuQGtJ X-Received: by 2002:a6b:1e4d:: with SMTP id e74-v6mr36450885ioe.36.1525578251110; Sat, 05 May 2018 20:44:11 -0700 (PDT) X-Received: by 2002:a6b:1e4d:: with SMTP id e74-v6mr36450877ioe.36.1525578250959; Sat, 05 May 2018 20:44:10 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id d16-v6sm4544285iob.74.2018.05.05.20.44.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 20:44:10 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Adam Radford , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org (open list) Subject: [PATCH] scsi: 3w-9xxx: fix a missing-check bug Date: Sat, 5 May 2018 22:43:13 -0500 Message-Id: <1525578221-16283-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'driver_command'. Then a security check is performed on the data buffer size indicated by 'driver_command', which is 'driver_command.buffer_length'. If the security check is passed, the entire ioctl command is copied again from the 'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various operations are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in userspace, a malicious userspace process can race to change the buffer size between the two copies. This way, the user can bypass the security check and inject invalid data buffer size. This can cause potential security issues in the following execution. This patch checks the buffer size obtained in the second copy. An error code -EINVAL will be returned if it is not same as the original one in the first copy. Signed-off-by: Wenwen Wang --- drivers/scsi/3w-9xxx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c index b42c9c4..8bc43db 100644 --- a/drivers/scsi/3w-9xxx.c +++ b/drivers/scsi/3w-9xxx.c @@ -684,6 +684,12 @@ static long twa_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long if (copy_from_user(tw_ioctl, argp, driver_command.buffer_length + sizeof(TW_Ioctl_Buf_Apache) - 1)) goto out3; + if (tw_ioctl->driver_command.buffer_length + != driver_command.buffer_length) { + retval = TW_IOCTL_ERROR_OS_EINVAL; + goto out3; + } + /* See which ioctl we are doing */ switch (cmd) { case TW_IOCTL_FIRMWARE_PASS_THROUGH: -- 2.7.4