Received: by 10.192.165.148 with SMTP id m20csp1785513imm; Sat, 5 May 2018 22:49:43 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpkPTZ5WURcm4paneScxVKyA8/ZaWDLX2msGfrSOqiXvsmRsTFK0SfahUQep5pWkLGXVstT X-Received: by 2002:a63:3f06:: with SMTP id m6-v6mr27381248pga.340.1525585783043; Sat, 05 May 2018 22:49:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525585783; cv=none; d=google.com; s=arc-20160816; b=q26sUCgtKnCdNrpf84+76bR4m/ejVeW0ggCWP+v6CZv7tArBr9/4rPuHNYTwN/0uy9 1w6U+CTZwpdQn3Lj/AfZxW3qpaHryVKR6JoqiBD7JX5ltPt8mfhXEz1Sdq4Onp4YpoJe vSr9pkSl9sLEZpNiJpgLz0ATPijlP0v5i4i7s2CzY+7L3a41eC4d7YTO0PEBYNCr91c5 3lMNvdqijjcjx40sA51LCQkqsrgCEjIOdlmbxVR1J6zCUlB3Z3A6XY1utMldpdFKW/LB krk2bJI8B/0Dj2iB/J3a0QaBRAsa5msSbEnv4EzwFM1L5EnlcvpIuFPUFMIZvX1uykIl AaEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=7qjD/SBuYyW9/mV0kxNTk1QOyc4GW3/Pxg6d0LWL+to=; b=WZyUTPwLCRA9mo+EkXT0Fk6jOkfp2I6xkYqcIXXGDmTg9xJuZ+qqp0sU038CDll4eR P7wOsl87nNGUN0w5sMF9nuQa75fF2hZGZQ3DN3D2c0Px4fgQAlG6mxKbJZM2ySSUw1pX kHDKhu2j1o4H3gueC9krlMnC3elHEvLA9x/yzzHUxuXWI3s2oBm5BxmdNVkI5on5h0uE fIM4vtdLbpgaEqwHwSVd1eg1m+7i+bptehtaRW0X4noo0YMLmrQpuhoSdRaiLNpTdHCb /OugP4er/6Lul5XdVAncFlpUOJuCOi1RD38h8XfhkW4aouUHll2cKlDIPNXk9sGsyhRA O1vg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=GPR2z02U; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l192-v6si16150459pge.365.2018.05.05.22.48.57; Sat, 05 May 2018 22:49:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=GPR2z02U; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751180AbeEFFss (ORCPT + 99 others); Sun, 6 May 2018 01:48:48 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:38860 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750872AbeEFFsr (ORCPT ); Sun, 6 May 2018 01:48:47 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 8E693AE5 for ; Sun, 6 May 2018 05:48:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GS-H1b3WNzR for ; Sun, 6 May 2018 00:48:46 -0500 (CDT) Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 5B8399BC for ; Sun, 6 May 2018 00:48:46 -0500 (CDT) Received: by mail-io0-f198.google.com with SMTP id s12-v6so24273911ioc.20 for ; Sat, 05 May 2018 22:48:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=7qjD/SBuYyW9/mV0kxNTk1QOyc4GW3/Pxg6d0LWL+to=; b=GPR2z02U63j3sX7PiozVlOb6cBtSvLuk59vswlXmsPv81f+nYyZRyaW3UDNCovYmhn x0i2IEwsi983MPpFpq9nLJs1DLCK/e9iVUvw1QyGT0lV9UUFxwYpatalRCJhBc4Lsf0Q /YD1Y87Xaev4WkZDndffi4izVK2B675UG/4rS1ppAa6+ciNf6J0/8uRsaLEmnBEGt9Pt l8ggkjKqCiSxr0OK8UuviVBQl1RJi/0tXLcoNqmjHmA8WPCoktzfvqAlEMs9mJWXPtrj uj/zsZLaWcAI2qdVziX0Y0273XxhHvQT/ZM+Mx7s/tsTCUmnDgHj+Mvpb2A4Qm7codgF UIOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=7qjD/SBuYyW9/mV0kxNTk1QOyc4GW3/Pxg6d0LWL+to=; b=Vu34JbZh1yA4zzXcnN8/BYC2v4bxL4dtxbW2gIuuPIjV4Oi+8cqiR+nVD1X8O7yu5e Qq9D2ywoWd4AuhBOzCj2+CruuHlmPW8JRTcWM9lDr+npoqrh0I1t1Re3s8MFVeiNZHtC tZMGltxBtZszpMhgWVi89ltaroKoMROoYWKXn6YaaB4Qa31Uk523Eor3cZeJSsyu+hjn ukiRtkmkynI6AL2dkBZWStRcxvCZXslyjvLqYPRZSA27D8oeJiBpXtj0K8DTa5AJPOo3 qNcSeZ1kUUo+wnx4U4MAVJZDG6rc1lBxFZ2CyTuPTZ27mOUZGICv3H0cG56nS8Qg2uFZ cfcg== X-Gm-Message-State: ALQs6tCHtg37wEQ0jcxn/WfvzwaIpaeS22ShMmQ8LQK+m9jbuz4MLky6 K+VKsGRJ7YFkhx7KZUFv86UMtks2C0N+IuQZYQgcARW5yJ5C5z3d8z4AXPTVfqgd3iseRAqvrJc mQehQHcwbSkoAdexIJ+DAeNZZd9P3 X-Received: by 2002:a6b:2a05:: with SMTP id q5-v6mr36391480ioq.252.1525585726041; Sat, 05 May 2018 22:48:46 -0700 (PDT) X-Received: by 2002:a6b:2a05:: with SMTP id q5-v6mr36391469ioq.252.1525585725824; Sat, 05 May 2018 22:48:45 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id 2-v6sm2903997itk.1.2018.05.05.22.48.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 22:48:44 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Adam Radford , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org (open list) Subject: [PATCH] scsi: 3w-xxxx: fix a missing-check bug Date: Sun, 6 May 2018 00:48:14 -0500 Message-Id: <1525585714-17548-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In tw_chrdev_ioctl(), the length of the data buffer is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'data_buffer_length'. Then a security check is performed on it to make sure that the length is not more than 'TW_MAX_IOCTL_SECTORS * 512'. Otherwise, an error code -EINVAL is returned. If the security check is passed, the entire ioctl command is copied again from the 'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various operations are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in userspace, a malicious userspace process can race to change the buffer length between the two copies. This way, the user can bypass the security check and inject invalid data buffer length. This can cause potential security issues in the following execution. This patch checks the buffer length obtained in the second copy. An error code -EINVAL will be returned if it is not same as the original one in the first copy. Signed-off-by: Wenwen Wang --- drivers/scsi/3w-xxxx.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c index 33261b6..ef79194 100644 --- a/drivers/scsi/3w-xxxx.c +++ b/drivers/scsi/3w-xxxx.c @@ -919,6 +919,10 @@ static long tw_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long a /* Now copy down the entire ioctl */ if (copy_from_user(tw_ioctl, argp, data_buffer_length + sizeof(TW_New_Ioctl) - 1)) goto out2; + if (tw_ioctl->data_buffer_length != data_buffer_length) { + retval = -EINVAL; + goto out2; + } passthru = (TW_Passthru *)&tw_ioctl->firmware_command; -- 2.7.4