Received: by 10.192.165.148 with SMTP id m20csp3685019imm;
        Mon, 7 May 2018 17:21:15 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZr7XLLMqqVcRWljQNaSmvQrVVaGGclC20R0wZ4JSy0Tj1JEfwAV45Qw4uNDyUvpQ4ZiBAKM
X-Received: by 2002:a17:902:7e4a:: with SMTP id a10-v6mr39738315pln.276.1525738875329;
        Mon, 07 May 2018 17:21:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525738875; cv=none;
        d=google.com; s=arc-20160816;
        b=qi+BokJaztVNVY5udH9VBF4jLx5ueGTBFXNdq8qyPht3HhaS/1OeHBHbDb3GehvPhz
         3YX2oFuKyg+GBllOymIs8gE+8jnf9uZCUpL5IAbXrUVIfiIRP6we5N7rJv5lPikBk1Hy
         iMZAXd5K1+cl2mg3lwOVSoDki+rJFlbyncpFaPKYRCWFIxk0u+L3Vyl2Coizy0d5MTXt
         DYrzXJ42VFtyxy9H6PD4tBHR4rmrL0l5bZAFHKkJQGwNFS0xstz0NE+2k6gVR+hVYSb6
         4JGYrT9avK7QhESch0gIbBjyjc25rampw80uZGRMAujrPw1v4adA92s3mIWEUjdcRx4F
         h8tg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=ng3LMrmYwdtqsSeKEqXxcNchQbkDqdvBcOLaeiyydXg=;
        b=0X2QcIpZ1CeYu2Fvy1QUv0uRcF981vblElRMdPKIuP6LhcE84BO2xar9k29wFHOpr/
         J0yvxQVD0FOgNBV+SmGyAeTVsvg1q1xBcTCuJyVmSIESHy+xoD2owSMzDDTCAoGZWY9S
         os0IfCPAEQt5l/5/uizO8M49PoGX7reYUCSb4CFX6e6eR5TeezNluSm+7D10SzK4Q8VS
         DTWQVxwG5PYEnr9ljo5U7BLCgJMiUxnjAyeolZ6DpEExwehtRalPHRUkPk0M3T++uwdN
         84GGZd8ksXcH6D+dg2tbHqCgy7Rm6194Ijv6a0rGRIHdVK5/U97SffLEUqgbyVibk4yP
         yG/w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=MpkTnLhA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l9si23099694pff.270.2018.05.07.17.21.01;
        Mon, 07 May 2018 17:21:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=MpkTnLhA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753606AbeEHAUo (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Mon, 7 May 2018 20:20:44 -0400
Received: from mail-oi0-f68.google.com ([209.85.218.68]:41557 "EHLO
        mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753586AbeEHAUm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 May 2018 20:20:42 -0400
Received: by mail-oi0-f68.google.com with SMTP id 11-v6so26820384ois.8;
        Mon, 07 May 2018 17:20:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=ng3LMrmYwdtqsSeKEqXxcNchQbkDqdvBcOLaeiyydXg=;
        b=MpkTnLhAveQbJB14kGyDiyMCNJa7CJc1XevaSJ1EiYA1lu7xB6AN7t0Ro5xUDZr9qt
         eHqmR9Uc8wFaxfp5MeqyWB1GZmWdqxBapxD581cCYmlazws1C4x2Rb/eiuiRCxnqAmFL
         4FtaCdndLP2t71JqJL/fTLYCaapTzpRJqXVhAiwZDNobfyVUj96pqC4tQIr+5BSB/5K1
         PBORSM/7Q905zQnPsgVmKfZsCjWoAlfmeRtgPtuOiuxOU5fnOya5F2ajkK5ASAWo5ClH
         pxTEgG2lg5q9kqRKLBNSFppFY13abzWI44OkJGkSsepYYNS8X90d2DHznnKOZ/VNHTwn
         Qn2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=ng3LMrmYwdtqsSeKEqXxcNchQbkDqdvBcOLaeiyydXg=;
        b=KLyPUqxqIkwusmSkHJZIpFmy7WT1bkkAzHyVtcB02KOwltKKIt5gOMJ9WKGSKpW9/M
         1LssiQn+MSV++P0O4eICB75twhAj4a4fGHlomEtT6EFooSQ+7XpjEWjFvMylsfJACdSe
         enXGyl13RubCugMf1+kFANc0PHFbPThULTzf33/Vvr78tQYz41nUR9hN3HcgrFk+/y9S
         XD+b/YZW6VeJQvvX6TYyEws6DoNLhwBd0XOvl7/yhtUCAfV8J7pxc2gpm+3MihroLwaQ
         /kS8OCzuB2o7JLB4mJjCT/FoF13mF/H5OsGQNFKGHyW9vdHfhF4QnTxfhvxBVZcIYzIW
         lVCg==
X-Gm-Message-State: ALQs6tCirZ8QPS2lcKxPMUAbCQm/qx6nxfsZ/YaEdzItKSoEXmvaRKvE
        tfKybdQFdfOFwJgzcu0rMAYOfLvIW0IaV3WoxMI=
X-Received: by 2002:aca:d804:: with SMTP id p4-v6mr23541137oig.29.1525738841974;
 Mon, 07 May 2018 17:20:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.24.207 with HTTP; Mon, 7 May 2018 17:20:41 -0700 (PDT)
In-Reply-To: <1525585856-17639-1-git-send-email-wang6495@umn.edu>
References: <1525585856-17639-1-git-send-email-wang6495@umn.edu>
From:   adam radford <aradford@gmail.com>
Date:   Mon, 7 May 2018 17:20:41 -0700
Message-ID: <CAHtARFHhLtG=LuQxqwB4eM5yUdZMkb4Xu0wkuu5nrOL6GQZVTw@mail.gmail.com>
Subject: Re: [PATCH] scsi: 3ware: fix a missing-check bug
To:     Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi <linux-scsi@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, May 5, 2018 at 10:50 PM, Wenwen Wang <wang6495@umn.edu> wrote:
> In twl_chrdev_ioctl(), the ioctl driver command is firstly copied from the
> userspace pointer 'argp' and saved to the kernel object 'driver_command'.
> Then a security check is performed on the data buffer size indicated by
> 'driver_command', which is 'driver_command.buffer_length'. If the security
> check is passed, the entire ioctl command is copied again from the 'argp'
> pointer and saved to the kernel object 'tw_ioctl'. Then, various operations
> are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp'
> pointer resides in userspace, a malicious userspace process can race to
> change the buffer size between the two copies. This way, the user can
> bypass the security check and inject invalid data buffer size. This can
> cause potential security issues in the following execution.
>
> This patch checks the buffer size obtained in the second copy. An error
> code -EINVAL will be returned if it is not same as the original one in the
> first copy.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
>  drivers/scsi/3w-sas.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/drivers/scsi/3w-sas.c b/drivers/scsi/3w-sas.c
> index cf9f2a0..ea41969 100644
> --- a/drivers/scsi/3w-sas.c
> +++ b/drivers/scsi/3w-sas.c
> @@ -757,6 +757,11 @@ static long twl_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long
>         /* Now copy down the entire ioctl */
>         if (copy_from_user(tw_ioctl, argp, driver_command.buffer_length + sizeof(TW_Ioctl_Buf_Apache) - 1))
>                 goto out3;
> +       if (tw_ioctl->driver_command.buffer_length !=
> +           driver_command.buffer_length) {
> +               retval = -EINVAL;
> +               goto out3;
> +       }
>
>         /* See which ioctl we are doing */
>         switch (cmd) {
> --
> 2.7.4
>

1. Returning -EINVAL after the copy_from_user() doesn't prevent any
invalid copy down to kernel mode from happening.
2. twl_chrdev_open() checks for capable(CAP_SYS_ADMIN):

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/scsi/3w-sas.c#n834

I don't see the point in this patch.

-Adam