Received: by 10.192.165.148 with SMTP id m20csp3707999imm; Mon, 7 May 2018 17:55:41 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrRUdvgmd8W9DRz7l8bZb4odKA9V+5yGYti3GCDWvu8qMohT/0irwXafPVG0uecd07/rKyB X-Received: by 2002:a17:902:5a0d:: with SMTP id q13-v6mr39065805pli.199.1525740941561; Mon, 07 May 2018 17:55:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525740941; cv=none; d=google.com; s=arc-20160816; b=EaxC/9MepJmmv6FRHImuu6NiYEX6CbVsX2NmWJ6KUmkz/irrKgoRwNKooowruMDdXP ZUwh7zBxGXqTsBUCCQyCGxpeeo1PAVaIASjyWSWJDJGmObD83ITd3VMRbpOpOoOtOh23 MJeKZ1nCmxrgbV/PuqZOJYRWMBJHFOM3iLfmKkR2DwL+Aq6x5z060lQ/GJB7zfDgeZVE 5PAz5mmlb+A4kEPh5e7YFBQy1wO/AGQz7HmdO9jtZYfH7IL60bqKwNeA7ysHWaJmgW3d Zl7CfdHQIDDMI9eHcF4sYMkJHs+qFg7TE0Dp+fIfBD9FH0Mid0LCxUl5KKV8eXuuqAy0 MqHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=B0QZYbssoyrs34WuFSxmJW15Bd8PNSgq79QVuQwWx6o=; b=ZsfDe7UtKQPTyMueTeZg1KlKFWpySMWBVDsSGEfik9QYDUCI2016xWxPZRsAnGctEe BFCxzvHYXTzPxXfVFXu0Nz5m2bb3FzwCwekvhj2ohIhu+R1CgwxN7jUETmifNzkgBjJm G9UCbFsJjaIl4MsiQ1biBhZxsD0aM3kOJBaLXpoU0YRn7RQCra706RROjYu+K/uxRoNu uh8bZ0cEdIvOEHPe+3QoVni/dx9QlekoQoUrO52lU7gkV0yZZmqR30J5NqMXHFneALd3 UZFdOt3jZHPiVGyA3EVz+fQC//ISXiIaGwa6a66VoFuWghTBC+O5SxXlMrcK6w9R98Rv ym7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=aJp5V141; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a21si21973121pfo.31.2018.05.07.17.55.25; Mon, 07 May 2018 17:55:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=aJp5V141; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753531AbeEHAyY (ORCPT + 99 others); Mon, 7 May 2018 20:54:24 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:36360 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753184AbeEHAyV (ORCPT ); Mon, 7 May 2018 20:54:21 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id D041BB83 for ; Tue, 8 May 2018 00:54:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M8ANjVHDiKr4 for ; Mon, 7 May 2018 19:54:20 -0500 (CDT) Received: from mail-it0-f69.google.com (mail-it0-f69.google.com [209.85.214.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id A43AD7E for ; Mon, 7 May 2018 19:54:20 -0500 (CDT) Received: by mail-it0-f69.google.com with SMTP id p12-v6so10661753itc.7 for ; Mon, 07 May 2018 17:54:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=B0QZYbssoyrs34WuFSxmJW15Bd8PNSgq79QVuQwWx6o=; b=aJp5V141/kGL8tpFz6JD86bI5Lx8kiJvgrnUMFGHi6BG1PZwQdk7J42aI11mB0ySFe GJ4nQod6gyN62SExnxAqTZow/X4c/gmdrIf/s7W04Tt+zFdbfpPAYedAnHq3oVSyqSvC 0nW/SiFTiYVpZ/bqTjPt6kdHxhkp0VdSgspMtP9e6P9hR1tQisMW76afHJDLfLa8uY5E GrF4mz3eqYb0NK7BXipi9e9Q4PZgcJBlndAlrxFYEpyJKJwS/8H77unPhdy8+bZPpPB1 QsirE24WPUlcuG19UakmEjX4qbCTCQL0pfY85SvWrbEapW5+hwqzX6PnTC4x8soz6Xgo QoGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=B0QZYbssoyrs34WuFSxmJW15Bd8PNSgq79QVuQwWx6o=; b=bewu8vPpZrHrgEAi1ZKw/bUtdrLYOZIp2tMJf2huW7BtQMs22yUpYJs6yMDLZqkW12 +nnpLFbSVoX+ngcpa4UeL0quHsVjVLM8jjosJQRIAUeTjCcbSUwSjiD2v5mow2lTgO6J bN0fjj18jD10c55XfcaBB8dwxJxBJfU1eJpoJOhWXpgH8r1OjYEawFh1XpRxrzIAjwzc yRBhlMa0QqDYl5txzjfy0TgZSBJDkh98y9wsE47lIeQMj0A7ocgarL1cB2gWgmMAjjyJ mwqJsiht7flfEhSIVrBlY7Ah/gqWdcs/buOae/oaQDHZWO+QCuQa+tDFw7hI00YeZJew lAoQ== X-Gm-Message-State: ALQs6tDdS7o+Osg8h7aDPL2KTcl/3s0y36KnNesM6edSP2bWhu1whVpK feyUmo5W14ChLPZITvZCS7VoTDKD/PfEPHaTO1j07xk2691tPX9SBICCEs+STcgHSrkMBzq5SdR 7BQAbiCjShdcqS1s9kXSNL9hYD6BR X-Received: by 2002:a6b:4c1:: with SMTP id 184-v6mr41750501ioe.162.1525740860302; Mon, 07 May 2018 17:54:20 -0700 (PDT) X-Received: by 2002:a6b:4c1:: with SMTP id 184-v6mr41750495ioe.162.1525740860139; Mon, 07 May 2018 17:54:20 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id w142-v6sm4146670ita.21.2018.05.07.17.54.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 07 May 2018 17:54:19 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Adam Radford , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2] scsi: 3w-xxxx: fix a missing-check bug Date: Mon, 7 May 2018 19:54:01 -0500 Message-Id: <1525740850-23737-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In tw_chrdev_ioctl(), the length of the data buffer is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'data_buffer_length'. Then a security check is performed on it to make sure that the length is not more than 'TW_MAX_IOCTL_SECTORS * 512'. Otherwise, an error code -EINVAL is returned. If the security check is passed, the entire ioctl command is copied again from the 'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various operations are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in userspace, a malicious userspace process can race to change the buffer length between the two copies. This way, the user can bypass the security check and inject invalid data buffer length. This can cause potential security issues in the following execution. This patch checks for capable(CAP_SYS_ADMIN) in tw_chrdev_open() to avoid the above issues. Signed-off-by: Wenwen Wang --- drivers/scsi/3w-xxxx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c index 33261b6..f6179e3 100644 --- a/drivers/scsi/3w-xxxx.c +++ b/drivers/scsi/3w-xxxx.c @@ -1033,6 +1033,9 @@ static int tw_chrdev_open(struct inode *inode, struct file *file) dprintk(KERN_WARNING "3w-xxxx: tw_ioctl_open()\n"); + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + minor_number = iminor(inode); if (minor_number >= tw_device_extension_count) return -ENODEV; -- 2.7.4