Received: by 10.192.165.148 with SMTP id m20csp3702804imm; Mon, 7 May 2018 17:47:41 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpwF2EXxryA7fZ0XMff23f6jtkh2lh7Z2FpV2zWbOvpgFtRaQ7gkMuzYGLS1Qtsrbm/0xV5 X-Received: by 2002:a17:902:bf08:: with SMTP id bi8-v6mr38944007plb.353.1525740461021; Mon, 07 May 2018 17:47:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525740460; cv=none; d=google.com; s=arc-20160816; b=vAYW8nT5A+UULwLvzYAux0YSfScu7gUtKk5zPYtTdfSQa93PRMAx9v/wJtzWQO0xVf 3LB0uHEhy+SuKcx4k9HEdWhu19KAFp9jooQb8LYqOothLcBrrXzz6itslS3h0GON8NY1 oGqAg17tazmV4G2Ismk0+ME5H8l/wyDU8M50BIsRuj7FRZIlLWkkiJblgslCU/PyxHbS 5sJyhJXBQMp7Z8hcIWAHsURl6UFpjGQQvtENjAqGN46+EE59KXRQotQX+nsp/qPJ23cK s2Iur2g+YjCpj9Azr348zXRUmhffaOSvsgVaC5x8F2Vb3Bfp3v5A2YvZI6GW7xoWyIZ5 O01w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=zihNzqqECq9JWL4HbEakt27Z+FBl99HrlbkMnAavbJo=; b=cdFW1+NOzQv25XnVsuUMrHfu67TJwW0dtW+DX0ebBPBnQvfxUQBPWjvfN8FRJdBhKo GJeHwjkOM3S+QuIpQacA911WqCApGGT9C78nCIOamYUKanEUpRj9kLXep3HqLtwDRDzR rbvTo5eF+olJSXMiYDphfM+Ted7lJytZhD6HBCUYsuPnxxduzer053Q9wLpWpnR5QVIu 8RZs7Wm9xSctpo0ba6Bv4w8L5mwtGCSiBrdaTuIVgaaEdvqZZaZW2DXnHgIsSJL6h6EI OYxeiWLWGJYQkg5PxHmf5iWBm5netFeCiyVTQ6ESHExXiPPwBODgFrod1dMQiTbnfQ4Q eKTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=hxzIT5Ud; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 67si10610995pfm.167.2018.05.07.17.47.26; Mon, 07 May 2018 17:47:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=hxzIT5Ud; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753842AbeEHArO (ORCPT + 99 others); Mon, 7 May 2018 20:47:14 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:46436 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753085AbeEHArN (ORCPT ); Mon, 7 May 2018 20:47:13 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 489C5C07 for ; Tue, 8 May 2018 00:47:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kRHRkHiZlMM9 for ; Mon, 7 May 2018 19:47:12 -0500 (CDT) Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 192C7C05 for ; Mon, 7 May 2018 19:47:12 -0500 (CDT) Received: by mail-io0-f198.google.com with SMTP id k21-v6so10487893ioj.19 for ; Mon, 07 May 2018 17:47:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=zihNzqqECq9JWL4HbEakt27Z+FBl99HrlbkMnAavbJo=; b=hxzIT5Ud3sfLBRTPQYpufwgCBTxYx9Qi9/2ZLTrlf089IILHSN/MnVmkwuofQVydrW ga7fTk6Q7lyezT/DiPitesxo2Lb+nIuykA9LwEMywZBSwOA75zJrH5YCs5jGOEsEVThQ qZ7ug0A4sh+DqhO3sRu40zxn8UugJkoGPBYKRxxi+8EuTpJ2IKTm7WPowpiCeKVCL+Ru AvzeWaJs32KRO/uL0k+AqZrRqKdMggyPFj8lPaPKZ7CXVAc3ORRSq1vbMeSw2GMyqLqZ RqCEiBYarHESsEhREJ5Men8mMwxM6PoKzn2JiTWrD5C7mp4TSgoXls1FE/F/3qk3HJKs ESEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=zihNzqqECq9JWL4HbEakt27Z+FBl99HrlbkMnAavbJo=; b=HsBfdLOFoUopNEnSLidRq5HhkNdCdK5HRAINdQTgOL3Cc5QOubG7Ew1bePdnGlTzui uIN2cFDseboJcKrj2pdM9LJ5OHQ3iJOi6MFOXqEGIvv67eW8Py4Rdt30OONVxMJRhqe+ /z7av+CCuz94CVHI/UTeUT52f8/TmP7WFxxr/V9DdtP1XAIAOVhcaF3ZP839xnu3BtDp wRVfuLRncVVlbYF9YHxwBQsGLRssRUjWAWgwc5gba3Iq76/WbMs4u8T3NkS0yI8zraRr WZ9HUzruzifMQiGfoIlsfsPocSJrQVkB5GF3XuE/y/bf5rRDP/hsL/BWic4LoqsUU5n3 ri/g== X-Gm-Message-State: ALQs6tC4rddmo5wcg+12trcyvQVR10FA77jy3CGQn/G12wsM3knhQojx g3qi6x54FIUdcZ3YuAqWUSkswDJ88YMV0zdzkStO9HMKfkYhd5zL+EkjhxeR/IsphE0SxkHxZ/O LYAgHOzmBgBa5hM73UOu/hOtc6kLb X-Received: by 2002:a24:7512:: with SMTP id y18-v6mr4293943itc.31.1525740431715; Mon, 07 May 2018 17:47:11 -0700 (PDT) X-Received: by 2002:a24:7512:: with SMTP id y18-v6mr4293933itc.31.1525740431437; Mon, 07 May 2018 17:47:11 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id e1-v6sm4893834ita.23.2018.05.07.17.47.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 07 May 2018 17:47:10 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Adam Radford , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2] scsi: 3w-9xxx: fix a missing-check bug Date: Mon, 7 May 2018 19:46:43 -0500 Message-Id: <1525740413-23443-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'driver_command'. Then a security check is performed on the data buffer size indicated by 'driver_command', which is 'driver_command.buffer_length'. If the security check is passed, the entire ioctl command is copied again from the 'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various operations are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in userspace, a malicious userspace process can race to change the buffer size between the two copies. This way, the user can bypass the security check and inject invalid data buffer size. This can cause potential security issues in the following execution. This patch checks for capable(CAP_SYS_ADMIN) in twa_chrdev_open()t o avoid the above issues. Signed-off-by: Wenwen Wang --- drivers/scsi/3w-9xxx.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c index b42c9c4..99ba4a7 100644 --- a/drivers/scsi/3w-9xxx.c +++ b/drivers/scsi/3w-9xxx.c @@ -882,6 +882,11 @@ static int twa_chrdev_open(struct inode *inode, struct file *file) unsigned int minor_number; int retval = TW_IOCTL_ERROR_OS_ENODEV; + if (!capable(CAP_SYS_ADMIN)) { + retval = -EACCES; + goto out; + } + minor_number = iminor(inode); if (minor_number >= twa_device_extension_count) goto out; -- 2.7.4