Received: by 10.192.165.148 with SMTP id m20csp2682868imm; Sun, 6 May 2018 22:13:38 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr0vggBjykNDdfwX7OKKu3++gvcroqJvXOHwDcmlb8Ag3NGVOyuZeGdbzv9pndb248et4RB X-Received: by 10.98.219.5 with SMTP id f5mr35560458pfg.137.1525670018163; Sun, 06 May 2018 22:13:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525670018; cv=none; d=google.com; s=arc-20160816; b=s9ihN22Qhyjq97P6P7F2wyTcSWtZoV8GezVJuI5xtGH027qEZZpGKGXgpqiv4OPlcP KXodBvSt58lAYvBbIYHDMUcMYZ4WMO1P1j5NdJYNGZsLjiTAD8mOEofqbtQKnb9RkQL2 YhBEHNJ1VX8ZyR6ra6fAEVab2Img4NZAbXkq2UTIb3YHzWDKd1Ed/u7vW63/2JgJMX6y mDfPkEA2fJeteL2Hzer6134asASUBvapx2ITwUuFNwe+O4GGWDVnVHIbOnroo7ed6WEQ STUUZnw80B2CzgmGCrK/nx+PWhCqzAp8Tt2oAECtuP/vstcBKBOgBmKdWwVwQybohJqt tvGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:reply-to :arc-authentication-results; bh=2442vj3n772gH24cUterEEKbXoDO8gnq2OsKljB+3hc=; b=HpmKd7tGzInx/DtlbNxrnyiIfqpzUtvgSJITyetBd7HT7hRIDBGj18DQ/duoGEdkaF 7QpKG9zuaa611J0b7R4w3+C2Pbx8khpJPPVnvBdnY7MlxEEpAxlnwvigHH++u9roUkyI aF7luHrgBFowMqdiWaax8Ag4jBgJkExYMneKRqa/pebRrGAhVtL80Nt/fzFMq2BQZ1cY XtcTscAVgOQzwiu4EQaZmqeoYc41F/qwbJA+kXR0gqkA31pWQVEJx6wqp5cZTrc4NCc7 nekEpy3okCtNjDeQqu28jF0vbVbpAh20eaDT+JNSYvELUZIoGYVEVKZdTY654yj/cw8Z miGw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 89si21562027pfs.362.2018.05.06.22.13.21; Sun, 06 May 2018 22:13:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751893AbeEGFNL (ORCPT + 99 others); Mon, 7 May 2018 01:13:11 -0400 Received: from smtp.infotech.no ([82.134.31.41]:51877 "EHLO smtp.infotech.no" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750990AbeEGFNI (ORCPT ); Mon, 7 May 2018 01:13:08 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp.infotech.no (Postfix) with ESMTP id E94C92041CE; Mon, 7 May 2018 07:13:05 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.6.6 (20110518) (Debian) at infotech.no Received: from smtp.infotech.no ([127.0.0.1]) by localhost (smtp.infotech.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xSu7oogAdQ6j; Mon, 7 May 2018 07:13:05 +0200 (CEST) Received: from [10.7.0.18] (unknown [10.7.0.18]) by smtp.infotech.no (Postfix) with ESMTPA id D560720414C; Mon, 7 May 2018 07:13:04 +0200 (CEST) Reply-To: dgilbert@interlog.com Subject: Re: [PATCH] scsi: sg: fix a missing-check bug To: Wenwen Wang Cc: Kangjie Lu , "James E.J. Bottomley" , "Martin K. Petersen" , "open list:SCSI SG DRIVER" , open list References: <1525576895-15708-1-git-send-email-wang6495@umn.edu> From: Douglas Gilbert Message-ID: Date: Mon, 7 May 2018 01:13:03 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <1525576895-15708-1-git-send-email-wang6495@umn.edu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-05-05 11:21 PM, Wenwen Wang wrote: > In sg_write(), the opcode of the command is firstly copied from the > userspace pointer 'buf' and saved to the kernel variable 'opcode', using > the __get_user() function. The size of the command, i.e., 'cmd_size' is > then calculated based on the 'opcode'. After that, the whole command, > including the opcode, is copied again from 'buf' using the > __copy_from_user() function and saved to 'cmnd'. Finally, the function > sg_common_write() is invoked to process 'cmnd'. Given that the 'buf' > pointer resides in userspace, a malicious userspace process can race to > change the opcode of the command between the two copies. That means, the > opcode indicated by the variable 'opcode' could be different from the > opcode in 'cmnd'. This can cause inconsistent data in 'cmnd' and > potential logical errors in the function sg_common_write(), as it needs to > work on 'cmnd'. > > This patch reuses the opcode obtained in the first copy and only copies the > remaining part of the command from userspace. > > Signed-off-by: Wenwen Wang > --- > drivers/scsi/sg.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c > index c198b963..0ad8106 100644 > --- a/drivers/scsi/sg.c > +++ b/drivers/scsi/sg.c > @@ -657,7 +657,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) > hp->flags = input_size; /* structure abuse ... */ > hp->pack_id = old_hdr.pack_id; > hp->usr_ptr = NULL; > - if (__copy_from_user(cmnd, buf, cmd_size)) > + cmnd[0] = opcode; > + if (__copy_from_user(cmnd + 1, buf + 1, cmd_size - 1)) > return -EFAULT; > /* > * SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV, > That is in the deprecated "v2" part of the sg driver (for around 15 years). There are lots more interesting races with that interface than that one described above. My guess is that all system calls would be susceptible to playing around with a buffer being passed to or from the OS by a thread other than the one doing the system call, during that call. Surely no Unix like OS gives any security guarantees to a thread being attacked by a malevolent thread in the same process! My question is did this actually cause to program to fail; or is it something that a sanity checker flagged? Also wouldn't it be better just to return an error such as EINVAL if opcode != command[0] ? Doug Gilbert