Received: by 10.192.165.148 with SMTP id m20csp3692454imm; Mon, 7 May 2018 17:32:16 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqZXxgQUGaaVYa8hYCAbFaYDMUKMIkP9qbwvdBeMdZfzvRxy0OAeCf9BVFLiHPt4FKS8HJH X-Received: by 10.98.178.208 with SMTP id z77mr37946059pfl.122.1525739536538; Mon, 07 May 2018 17:32:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525739536; cv=none; d=google.com; s=arc-20160816; b=1BSLsePaD01Ln1s2YEDuXOJ2g/w/pxZiXd5bpf99HhfkAtyp5ZGPDwzstHl/x3rXca wmEYlAymzTBkjztVC275s6/CPJhhOvVdWm5mBA9aFnn1IdxN+aCV4VC+XZjbWMEx9p1g zYf53qKJ4/eoxQF8Y8s60TuUKVD4BL+a5Wq8u86mIL82XX19DsZWigUr6s5WvvRvUDOb BxoTmiOkQP7MR2curDLjWVf3UDOtaVfnS9SvSEWd9yMH/HVfaywgha7tsOKpTpQMjDup GqJehsmHbFVCLgryy6WPacc2njPZjjR/dVLDqimG+8J53A0iRquxe6dhy3OMTCRW074z EP+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=8U3L9VkYxgNW5B9CtGsNCPJMeRj7mcGrcWp7YiExSrE=; b=hffCjwC2Y/4CUJw3fWqlZg68eMQhKCGUYe9nJTWBi2i2nBw2S/qkcxYn/+DhNZZdtT IFiPq6+gt44946jWQF6vwpGLtCXzjGJym1F2EOwUNZ5kdeS5jRfVFAC6gaNWtLe6H8Le HRVXtSg1CDii5nJ3Nas2e8pGHM9s+P+Om9xNSH8zQwCOBt2QCONf6M3tityEpGtLF/8C PClAUJc/bDLOrj2esR2mk73Wii/wGoBvsb2Z4zxs21qXbrvlD824QTy6N4aX0hLGQ5Ys 7HDo5FggR7Zyiho6mVZ5XHmWiLkO4xzYy4COc/gezJS0QB9wlpp4qylkkwY3uVclHK76 rtuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jm1jxDBh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m26si22825003pfa.45.2018.05.07.17.32.02; Mon, 07 May 2018 17:32:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jm1jxDBh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753725AbeEHAba (ORCPT + 99 others); Mon, 7 May 2018 20:31:30 -0400 Received: from mail-ot0-f193.google.com ([74.125.82.193]:40244 "EHLO mail-ot0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753085AbeEHAb2 (ORCPT ); Mon, 7 May 2018 20:31:28 -0400 Received: by mail-ot0-f193.google.com with SMTP id n1-v6so34137613otf.7; Mon, 07 May 2018 17:31:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8U3L9VkYxgNW5B9CtGsNCPJMeRj7mcGrcWp7YiExSrE=; b=jm1jxDBhlbnD8po6rshQxnJg6LS6mZF6wPsrU7S4N3zQAYqmA8qnpgIDQdhRPlNIjz b/D8ujcFFy18FNd8i0lE60grI3pkJxbcns4iugyKvWUIdVBe2SSXTkobfavytCrR6kl9 lQ5uMXDGrOuwWaLHSnAZpbdMNl/ISAAi4EtsjdK1bns5SCFRJz+MjhaYM1v0dKqQ8fiQ n9szZ4tbf20pIdEWl/79y++bPyY5pFG752cSKDeWbRIS8oSE/xCFSAEPnqOA+zY0DXkX OBxA3gxaqAndlSc694OSuXtf5ut3HbNTraii+NCR7h9hPOtsPxNnoBhc/5a8UfPdLCbG z2iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8U3L9VkYxgNW5B9CtGsNCPJMeRj7mcGrcWp7YiExSrE=; b=p9LUTtLsHoDiE5nn2ssx3dk2R0Lhi0USEkMSniYJ3X07FW/4s7IvovyQnfv3Nm8v14 OBTgqEcIBSVc93qeBja/z9yVUK6gydOj+umL91P/Kk5q3LCbq0x/Ikwyk7yxad4Mu1bz 3x0GQD8v8t1QTSgoszvF1SWcLc7gALI+28vzRzJ02zxbWVjIWK1g6520ITgh584oUwD8 zoSViS+1NA/hVkR53eTT6pJj1bI8kWo8F4/In84Oju5JgY9oS3q1sqMNkqi735bAv0pg 3FcZHo4QJgo5P2DkUB04lAQMoj0WCvV4E00TNmyC7jm0Sf2bxvE2UOWT5PbJqpeavNy7 bS8g== X-Gm-Message-State: ALQs6tA75JErRGs3AxJpHX+/EEJf7VZY724kA5VxqR/WVgbS/D1Gqe4G glXz7JLyT7pbzfXRTKZNCsjDbcMcDSd6YjgQekchXQ== X-Received: by 2002:a9d:150b:: with SMTP id u11-v6mr26598956otf.350.1525739487765; Mon, 07 May 2018 17:31:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.201.24.207 with HTTP; Mon, 7 May 2018 17:31:27 -0700 (PDT) In-Reply-To: <1525585714-17548-1-git-send-email-wang6495@umn.edu> References: <1525585714-17548-1-git-send-email-wang6495@umn.edu> From: adam radford Date: Mon, 7 May 2018 17:31:27 -0700 Message-ID: Subject: Re: [PATCH] scsi: 3w-xxxx: fix a missing-check bug To: Wenwen Wang Cc: Kangjie Lu , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi , open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 5, 2018 at 10:48 PM, Wenwen Wang wrote: > In tw_chrdev_ioctl(), the length of the data buffer is firstly copied from > the userspace pointer 'argp' and saved to the kernel object > 'data_buffer_length'. Then a security check is performed on it to make sure > that the length is not more than 'TW_MAX_IOCTL_SECTORS * 512'. Otherwise, > an error code -EINVAL is returned. If the security check is passed, the > entire ioctl command is copied again from the 'argp' pointer and saved to > the kernel object 'tw_ioctl'. Then, various operations are performed on > 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in > userspace, a malicious userspace process can race to change the buffer > length between the two copies. This way, the user can bypass the security > check and inject invalid data buffer length. This can cause potential > security issues in the following execution. > > This patch checks the buffer length obtained in the second copy. An error > code -EINVAL will be returned if it is not same as the original one in the > first copy. > > Signed-off-by: Wenwen Wang > --- > drivers/scsi/3w-xxxx.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c > index 33261b6..ef79194 100644 > --- a/drivers/scsi/3w-xxxx.c > +++ b/drivers/scsi/3w-xxxx.c > @@ -919,6 +919,10 @@ static long tw_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long a > /* Now copy down the entire ioctl */ > if (copy_from_user(tw_ioctl, argp, data_buffer_length + sizeof(TW_New_Ioctl) - 1)) > goto out2; > + if (tw_ioctl->data_buffer_length != data_buffer_length) { > + retval = -EINVAL; > + goto out2; > + } > > passthru = (TW_Passthru *)&tw_ioctl->firmware_command; > > -- > 2.7.4 > I would drop this patch and check for !capable(CAP_SYS_ADMIN) in tw_chrdev_open() instead. -Adam