Received: by 10.192.165.148 with SMTP id m20csp3692454imm;
        Mon, 7 May 2018 17:32:16 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqZXxgQUGaaVYa8hYCAbFaYDMUKMIkP9qbwvdBeMdZfzvRxy0OAeCf9BVFLiHPt4FKS8HJH
X-Received: by 10.98.178.208 with SMTP id z77mr37946059pfl.122.1525739536538;
        Mon, 07 May 2018 17:32:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525739536; cv=none;
        d=google.com; s=arc-20160816;
        b=1BSLsePaD01Ln1s2YEDuXOJ2g/w/pxZiXd5bpf99HhfkAtyp5ZGPDwzstHl/x3rXca
         wmEYlAymzTBkjztVC275s6/CPJhhOvVdWm5mBA9aFnn1IdxN+aCV4VC+XZjbWMEx9p1g
         zYf53qKJ4/eoxQF8Y8s60TuUKVD4BL+a5Wq8u86mIL82XX19DsZWigUr6s5WvvRvUDOb
         BxoTmiOkQP7MR2curDLjWVf3UDOtaVfnS9SvSEWd9yMH/HVfaywgha7tsOKpTpQMjDup
         GqJehsmHbFVCLgryy6WPacc2njPZjjR/dVLDqimG+8J53A0iRquxe6dhy3OMTCRW074z
         EP+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=8U3L9VkYxgNW5B9CtGsNCPJMeRj7mcGrcWp7YiExSrE=;
        b=hffCjwC2Y/4CUJw3fWqlZg68eMQhKCGUYe9nJTWBi2i2nBw2S/qkcxYn/+DhNZZdtT
         IFiPq6+gt44946jWQF6vwpGLtCXzjGJym1F2EOwUNZ5kdeS5jRfVFAC6gaNWtLe6H8Le
         HRVXtSg1CDii5nJ3Nas2e8pGHM9s+P+Om9xNSH8zQwCOBt2QCONf6M3tityEpGtLF/8C
         PClAUJc/bDLOrj2esR2mk73Wii/wGoBvsb2Z4zxs21qXbrvlD824QTy6N4aX0hLGQ5Ys
         7HDo5FggR7Zyiho6mVZ5XHmWiLkO4xzYy4COc/gezJS0QB9wlpp4qylkkwY3uVclHK76
         rtuA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=jm1jxDBh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m26si22825003pfa.45.2018.05.07.17.32.02;
        Mon, 07 May 2018 17:32:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=jm1jxDBh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753725AbeEHAba (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Mon, 7 May 2018 20:31:30 -0400
Received: from mail-ot0-f193.google.com ([74.125.82.193]:40244 "EHLO
        mail-ot0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753085AbeEHAb2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 May 2018 20:31:28 -0400
Received: by mail-ot0-f193.google.com with SMTP id n1-v6so34137613otf.7;
        Mon, 07 May 2018 17:31:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=8U3L9VkYxgNW5B9CtGsNCPJMeRj7mcGrcWp7YiExSrE=;
        b=jm1jxDBhlbnD8po6rshQxnJg6LS6mZF6wPsrU7S4N3zQAYqmA8qnpgIDQdhRPlNIjz
         b/D8ujcFFy18FNd8i0lE60grI3pkJxbcns4iugyKvWUIdVBe2SSXTkobfavytCrR6kl9
         lQ5uMXDGrOuwWaLHSnAZpbdMNl/ISAAi4EtsjdK1bns5SCFRJz+MjhaYM1v0dKqQ8fiQ
         n9szZ4tbf20pIdEWl/79y++bPyY5pFG752cSKDeWbRIS8oSE/xCFSAEPnqOA+zY0DXkX
         OBxA3gxaqAndlSc694OSuXtf5ut3HbNTraii+NCR7h9hPOtsPxNnoBhc/5a8UfPdLCbG
         z2iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=8U3L9VkYxgNW5B9CtGsNCPJMeRj7mcGrcWp7YiExSrE=;
        b=p9LUTtLsHoDiE5nn2ssx3dk2R0Lhi0USEkMSniYJ3X07FW/4s7IvovyQnfv3Nm8v14
         OBTgqEcIBSVc93qeBja/z9yVUK6gydOj+umL91P/Kk5q3LCbq0x/Ikwyk7yxad4Mu1bz
         3x0GQD8v8t1QTSgoszvF1SWcLc7gALI+28vzRzJ02zxbWVjIWK1g6520ITgh584oUwD8
         zoSViS+1NA/hVkR53eTT6pJj1bI8kWo8F4/In84Oju5JgY9oS3q1sqMNkqi735bAv0pg
         3FcZHo4QJgo5P2DkUB04lAQMoj0WCvV4E00TNmyC7jm0Sf2bxvE2UOWT5PbJqpeavNy7
         bS8g==
X-Gm-Message-State: ALQs6tA75JErRGs3AxJpHX+/EEJf7VZY724kA5VxqR/WVgbS/D1Gqe4G
        glXz7JLyT7pbzfXRTKZNCsjDbcMcDSd6YjgQekchXQ==
X-Received: by 2002:a9d:150b:: with SMTP id u11-v6mr26598956otf.350.1525739487765;
 Mon, 07 May 2018 17:31:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.24.207 with HTTP; Mon, 7 May 2018 17:31:27 -0700 (PDT)
In-Reply-To: <1525585714-17548-1-git-send-email-wang6495@umn.edu>
References: <1525585714-17548-1-git-send-email-wang6495@umn.edu>
From:   adam radford <aradford@gmail.com>
Date:   Mon, 7 May 2018 17:31:27 -0700
Message-ID: <CAHtARFFcrKnCtaH8hSLEFnia_pphL8UJ24Oxy=_r77fPRq5j0Q@mail.gmail.com>
Subject: Re: [PATCH] scsi: 3w-xxxx: fix a missing-check bug
To:     Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi <linux-scsi@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, May 5, 2018 at 10:48 PM, Wenwen Wang <wang6495@umn.edu> wrote:
> In tw_chrdev_ioctl(), the length of the data buffer is firstly copied from
> the userspace pointer 'argp' and saved to the kernel object
> 'data_buffer_length'. Then a security check is performed on it to make sure
> that the length is not more than 'TW_MAX_IOCTL_SECTORS * 512'. Otherwise,
> an error code -EINVAL is returned. If the security check is passed, the
> entire ioctl command is copied again from the 'argp' pointer and saved to
> the kernel object 'tw_ioctl'. Then, various operations are performed on
> 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in
> userspace, a malicious userspace process can race to change the buffer
> length between the two copies. This way, the user can bypass the security
> check and inject invalid data buffer length. This can cause potential
> security issues in the following execution.
>
> This patch checks the buffer length obtained in the second copy. An error
> code -EINVAL will be returned if it is not same as the original one in the
> first copy.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
>  drivers/scsi/3w-xxxx.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c
> index 33261b6..ef79194 100644
> --- a/drivers/scsi/3w-xxxx.c
> +++ b/drivers/scsi/3w-xxxx.c
> @@ -919,6 +919,10 @@ static long tw_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long a
>         /* Now copy down the entire ioctl */
>         if (copy_from_user(tw_ioctl, argp, data_buffer_length + sizeof(TW_New_Ioctl) - 1))
>                 goto out2;
> +       if (tw_ioctl->data_buffer_length != data_buffer_length) {
> +               retval = -EINVAL;
> +               goto out2;
> +       }
>
>         passthru = (TW_Passthru *)&tw_ioctl->firmware_command;
>
> --
> 2.7.4
>

I would drop this patch and check for !capable(CAP_SYS_ADMIN) in
tw_chrdev_open() instead.

-Adam