Received: by 10.192.165.148 with SMTP id m20csp3685019imm; Mon, 7 May 2018 17:21:15 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr7XLLMqqVcRWljQNaSmvQrVVaGGclC20R0wZ4JSy0Tj1JEfwAV45Qw4uNDyUvpQ4ZiBAKM X-Received: by 2002:a17:902:7e4a:: with SMTP id a10-v6mr39738315pln.276.1525738875329; Mon, 07 May 2018 17:21:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525738875; cv=none; d=google.com; s=arc-20160816; b=qi+BokJaztVNVY5udH9VBF4jLx5ueGTBFXNdq8qyPht3HhaS/1OeHBHbDb3GehvPhz 3YX2oFuKyg+GBllOymIs8gE+8jnf9uZCUpL5IAbXrUVIfiIRP6we5N7rJv5lPikBk1Hy iMZAXd5K1+cl2mg3lwOVSoDki+rJFlbyncpFaPKYRCWFIxk0u+L3Vyl2Coizy0d5MTXt DYrzXJ42VFtyxy9H6PD4tBHR4rmrL0l5bZAFHKkJQGwNFS0xstz0NE+2k6gVR+hVYSb6 4JGYrT9avK7QhESch0gIbBjyjc25rampw80uZGRMAujrPw1v4adA92s3mIWEUjdcRx4F h8tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=ng3LMrmYwdtqsSeKEqXxcNchQbkDqdvBcOLaeiyydXg=; b=0X2QcIpZ1CeYu2Fvy1QUv0uRcF981vblElRMdPKIuP6LhcE84BO2xar9k29wFHOpr/ J0yvxQVD0FOgNBV+SmGyAeTVsvg1q1xBcTCuJyVmSIESHy+xoD2owSMzDDTCAoGZWY9S os0IfCPAEQt5l/5/uizO8M49PoGX7reYUCSb4CFX6e6eR5TeezNluSm+7D10SzK4Q8VS DTWQVxwG5PYEnr9ljo5U7BLCgJMiUxnjAyeolZ6DpEExwehtRalPHRUkPk0M3T++uwdN 84GGZd8ksXcH6D+dg2tbHqCgy7Rm6194Ijv6a0rGRIHdVK5/U97SffLEUqgbyVibk4yP yG/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MpkTnLhA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l9si23099694pff.270.2018.05.07.17.21.01; Mon, 07 May 2018 17:21:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MpkTnLhA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753606AbeEHAUo (ORCPT + 99 others); Mon, 7 May 2018 20:20:44 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:41557 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753586AbeEHAUm (ORCPT ); Mon, 7 May 2018 20:20:42 -0400 Received: by mail-oi0-f68.google.com with SMTP id 11-v6so26820384ois.8; Mon, 07 May 2018 17:20:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ng3LMrmYwdtqsSeKEqXxcNchQbkDqdvBcOLaeiyydXg=; b=MpkTnLhAveQbJB14kGyDiyMCNJa7CJc1XevaSJ1EiYA1lu7xB6AN7t0Ro5xUDZr9qt eHqmR9Uc8wFaxfp5MeqyWB1GZmWdqxBapxD581cCYmlazws1C4x2Rb/eiuiRCxnqAmFL 4FtaCdndLP2t71JqJL/fTLYCaapTzpRJqXVhAiwZDNobfyVUj96pqC4tQIr+5BSB/5K1 PBORSM/7Q905zQnPsgVmKfZsCjWoAlfmeRtgPtuOiuxOU5fnOya5F2ajkK5ASAWo5ClH pxTEgG2lg5q9kqRKLBNSFppFY13abzWI44OkJGkSsepYYNS8X90d2DHznnKOZ/VNHTwn Qn2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ng3LMrmYwdtqsSeKEqXxcNchQbkDqdvBcOLaeiyydXg=; b=KLyPUqxqIkwusmSkHJZIpFmy7WT1bkkAzHyVtcB02KOwltKKIt5gOMJ9WKGSKpW9/M 1LssiQn+MSV++P0O4eICB75twhAj4a4fGHlomEtT6EFooSQ+7XpjEWjFvMylsfJACdSe enXGyl13RubCugMf1+kFANc0PHFbPThULTzf33/Vvr78tQYz41nUR9hN3HcgrFk+/y9S XD+b/YZW6VeJQvvX6TYyEws6DoNLhwBd0XOvl7/yhtUCAfV8J7pxc2gpm+3MihroLwaQ /kS8OCzuB2o7JLB4mJjCT/FoF13mF/H5OsGQNFKGHyW9vdHfhF4QnTxfhvxBVZcIYzIW lVCg== X-Gm-Message-State: ALQs6tCirZ8QPS2lcKxPMUAbCQm/qx6nxfsZ/YaEdzItKSoEXmvaRKvE tfKybdQFdfOFwJgzcu0rMAYOfLvIW0IaV3WoxMI= X-Received: by 2002:aca:d804:: with SMTP id p4-v6mr23541137oig.29.1525738841974; Mon, 07 May 2018 17:20:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.201.24.207 with HTTP; Mon, 7 May 2018 17:20:41 -0700 (PDT) In-Reply-To: <1525585856-17639-1-git-send-email-wang6495@umn.edu> References: <1525585856-17639-1-git-send-email-wang6495@umn.edu> From: adam radford Date: Mon, 7 May 2018 17:20:41 -0700 Message-ID: Subject: Re: [PATCH] scsi: 3ware: fix a missing-check bug To: Wenwen Wang Cc: Kangjie Lu , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi , open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 5, 2018 at 10:50 PM, Wenwen Wang wrote: > In twl_chrdev_ioctl(), the ioctl driver command is firstly copied from the > userspace pointer 'argp' and saved to the kernel object 'driver_command'. > Then a security check is performed on the data buffer size indicated by > 'driver_command', which is 'driver_command.buffer_length'. If the security > check is passed, the entire ioctl command is copied again from the 'argp' > pointer and saved to the kernel object 'tw_ioctl'. Then, various operations > are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' > pointer resides in userspace, a malicious userspace process can race to > change the buffer size between the two copies. This way, the user can > bypass the security check and inject invalid data buffer size. This can > cause potential security issues in the following execution. > > This patch checks the buffer size obtained in the second copy. An error > code -EINVAL will be returned if it is not same as the original one in the > first copy. > > Signed-off-by: Wenwen Wang > --- > drivers/scsi/3w-sas.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/scsi/3w-sas.c b/drivers/scsi/3w-sas.c > index cf9f2a0..ea41969 100644 > --- a/drivers/scsi/3w-sas.c > +++ b/drivers/scsi/3w-sas.c > @@ -757,6 +757,11 @@ static long twl_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long > /* Now copy down the entire ioctl */ > if (copy_from_user(tw_ioctl, argp, driver_command.buffer_length + sizeof(TW_Ioctl_Buf_Apache) - 1)) > goto out3; > + if (tw_ioctl->driver_command.buffer_length != > + driver_command.buffer_length) { > + retval = -EINVAL; > + goto out3; > + } > > /* See which ioctl we are doing */ > switch (cmd) { > -- > 2.7.4 > 1. Returning -EINVAL after the copy_from_user() doesn't prevent any invalid copy down to kernel mode from happening. 2. twl_chrdev_open() checks for capable(CAP_SYS_ADMIN): https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/scsi/3w-sas.c#n834 I don't see the point in this patch. -Adam