Received: by 10.192.165.148 with SMTP id m20csp1786669imm; Sat, 5 May 2018 22:51:45 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoLyakGpsB1mQ5I8kaJuTqDg871E/5Ir9Jtoargm1VV4rQwioF2p7RPdq/4WyRUBgqXDKRH X-Received: by 10.98.71.141 with SMTP id p13mr32429901pfi.164.1525585905095; Sat, 05 May 2018 22:51:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525585905; cv=none; d=google.com; s=arc-20160816; b=duGIJRga7BgYRLT9NAIG9WzjY2bm7t23p7FDZWUeeTQWzbFyIa6jGITOSJg6wcmA8r DORbP3s8w0bri8csb+zqtfL8f4bzoiNSedPJ1zsM6DUPLjY/cB5xLPVFHDg+nlPpWa7B sZm0LEPlhO0QViL4gZpdcceQlf5qVPPFuw1xc82ep6Tzuys9e4kpZaKgOpvWBF0guL9l 8bPI660LAWixv+7fxBu8lvZdaae1L+fCLmIOtxuE+giOjUJWHwafKW+thYA36WxJDIFw YOUei8I+OCTgizPUo52F2d/iWOyVcLAYYE62JozoyePrMqfhmXZpw3eUrAzS1Gyn9r45 xV/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=CpOQZ1IkdP9QtIwxlrvheEY0pCDIoFseLcBKNXyji6c=; b=FNgiVN4ANj3zGwmU7wj0E5UVA1KroW/BJHUsmgXTdj/YA1eBp5Hw4tQxGNFpcL1Fq0 ldZ1qBfffzE0y/erf19C1ENzBovGBa4+wxkyeM8ghKr3x4zh1j1FQuWozWVf7oESGwk6 BjxYc0QtTGo8g0qthE5BfqK645H4OAlMPrYZypx75NYK+NZT8D9WBj1R1uqRi7udUzmu 16SvJxEjvTJIhpmqicE36RWRGiRFnEERx93xPjUwTHjIFiBqD3VOELp1tUv407JMXX5C qF44sPtbfYbzPZqAGvnErZIJf0+ZtX54spOHtmJgQ/bmXAQmKEj2dXIdKWdOL7p60Xla 8ssA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=BShqMg9b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f38-v6si20082521plb.44.2018.05.05.22.51.30; Sat, 05 May 2018 22:51:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=BShqMg9b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751305AbeEFFvK (ORCPT + 99 others); Sun, 6 May 2018 01:51:10 -0400 Received: from mta-p6.oit.umn.edu ([134.84.196.206]:49602 "EHLO mta-p6.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751248AbeEFFvG (ORCPT ); Sun, 6 May 2018 01:51:06 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id 9BDEE909 for ; Sun, 6 May 2018 05:51:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aosd3gN-RDZ5 for ; Sun, 6 May 2018 00:51:05 -0500 (CDT) Received: from mail-it0-f71.google.com (mail-it0-f71.google.com [209.85.214.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 7769791D for ; Sun, 6 May 2018 00:51:05 -0500 (CDT) Received: by mail-it0-f71.google.com with SMTP id n83-v6so6058041itg.2 for ; Sat, 05 May 2018 22:51:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=CpOQZ1IkdP9QtIwxlrvheEY0pCDIoFseLcBKNXyji6c=; b=BShqMg9bzJYLAaKToro69oEjXaEzJM/PBH7irnEFCdACto6OuS+69+hDlB4qaiF6Qf HJBusbQHZmSrnRAwC48TZTLlSVcAguMo5u+UsFmLuncd31pERcaet4Rpxi7sK9neDJ6u fHMbVmjPpzZEz8El5lVNvDIvXze9qH0Y2AvtUwD8eHfIFbo3JmhMX0pvQhbTQKRwGubg ggVXMC27JTFd7W8HILx06+j5Oh4mH5vbmn0D9Ymy7NQe5kEAheXlPJlpvowFtxklCwk/ mYQ7clPQu/3SSF+l70aSiTrPHYUJtI33UP01zrtElUNCQA7o9+482XL+WYS02Xw7hsxB RDsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=CpOQZ1IkdP9QtIwxlrvheEY0pCDIoFseLcBKNXyji6c=; b=Sa4CKLZnIJjn0wDWKZ9Eu96xofPpot4YD/Z2QryNCan8l1OleOJe5qRpjfgQcSpBg/ 7DkEHjXHQVu3+t3c18uZ+w/AdYy/5gta++BRg4fH2gFkapf//LHqttfdwcbgQykahwxb tg2QaK1xJBMiDvt1byLcUdITcDs7PTuxzd4DdkPAggcGnD9NdR/6itylxe+J/NjflgjV EJzM+ivIz1pbDw0pL4DYneXZ064tnZ3jWvtR259M52lzuhDNfwnDvdNF4MlUeLpOZP3r l84E9ABmmgOhsMo3p1BT19RqsG2DY4zSMGUtWF9R99FdYw2zp0Al7Yd8K5uEwSWMfXv5 8MOA== X-Gm-Message-State: ALQs6tC7E2KiTjmaC8TI/hwuV3G8zhI4KBc8Adtn+33FtVHrsabfD6cu UFttMnNICTITupmr5jLGkGQQvV1Ws14kQL7HrwyPEoeNW4mMbzVNbLKrjAUFeTKA9a+yuxsGlL5 dEETIuHSzmAEZ4cZRqyEMPjBXEa2H X-Received: by 2002:a24:4089:: with SMTP id n131-v6mr32158674ita.8.1525585865105; Sat, 05 May 2018 22:51:05 -0700 (PDT) X-Received: by 2002:a24:4089:: with SMTP id n131-v6mr32158667ita.8.1525585864937; Sat, 05 May 2018 22:51:04 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id x189-v6sm2829939ite.5.2018.05.05.22.51.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 22:51:04 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Adam Radford , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org (open list) Subject: [PATCH] scsi: 3ware: fix a missing-check bug Date: Sun, 6 May 2018 00:50:47 -0500 Message-Id: <1525585856-17639-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In twl_chrdev_ioctl(), the ioctl driver command is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'driver_command'. Then a security check is performed on the data buffer size indicated by 'driver_command', which is 'driver_command.buffer_length'. If the security check is passed, the entire ioctl command is copied again from the 'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various operations are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in userspace, a malicious userspace process can race to change the buffer size between the two copies. This way, the user can bypass the security check and inject invalid data buffer size. This can cause potential security issues in the following execution. This patch checks the buffer size obtained in the second copy. An error code -EINVAL will be returned if it is not same as the original one in the first copy. Signed-off-by: Wenwen Wang --- drivers/scsi/3w-sas.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/3w-sas.c b/drivers/scsi/3w-sas.c index cf9f2a0..ea41969 100644 --- a/drivers/scsi/3w-sas.c +++ b/drivers/scsi/3w-sas.c @@ -757,6 +757,11 @@ static long twl_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long /* Now copy down the entire ioctl */ if (copy_from_user(tw_ioctl, argp, driver_command.buffer_length + sizeof(TW_Ioctl_Buf_Apache) - 1)) goto out3; + if (tw_ioctl->driver_command.buffer_length != + driver_command.buffer_length) { + retval = -EINVAL; + goto out3; + } /* See which ioctl we are doing */ switch (cmd) { -- 2.7.4