Received: by 10.192.165.148 with SMTP id m20csp3741434imm; Mon, 7 May 2018 18:43:23 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqq3BPhMvXbVGLpCM2jfOOWhqi51dVW7RrDseE6OmFyaY5uKVSAdL5G3OaHA2HdQZEELnSs X-Received: by 2002:a17:902:8d81:: with SMTP id v1-v6mr38271909plo.383.1525743803693; Mon, 07 May 2018 18:43:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525743803; cv=none; d=google.com; s=arc-20160816; b=F7GhT+NGq8i/Xpv9FJQRuWB0bLV2jC2EH9NoZj7vpgfgrNGzVyX+5uEcT8YJ3Hh8qp lJh2pQ5+Hvhg29ShCQbcCDCuL6ETrWYadYbuKXKmxI40e7qRCxnVCw6zr1N0MguuAjxv c6FTHzcLCitAa/JM7n/qXrJISMhTdmh2uKmzzlKysUU1I+G9ZxVE+hSbdcFTt/BN7Tnm LTT0QU+wRR2Gbdyj/LD0OpWdhqzZej7mBZCj/dEybsU/5SqZUEkrRxWSPbCM6iu98KKO v0iZtT8eY0shxYXcJwM02BwlvLfsu105ghUfdZLytaDArXeni73lzIovDhEvGj1H1Gzl ZiJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=bu7tDSeEk0CkJFsPQuFYvfaIm9PYImK3zLzVkK4Wero=; b=zu5xIVfZNRHq0jWHN57B30gafVRJJCmT4XQoCPY3H7y5sXlcmAqqCSDe4xAaEix+Zf NjXrLsXgj9KEv6NcFDvk8gL8pkrCU07GJHqFY9PfFv5H3Vq8Sgvf/lQFzgrnBSaBJSfi GF3bcRRzvbPT1rIU6oXFFr2gyizOYycM7Zb32UU1SPHeKGgUOGNHkQ6z6IwxG9r2oLcL Y+j1eundVGc4l9y4ON/TpORA+NrpcZTNOPHkXmNLSSJZ9L1vrU36JYn3JzEbdH3bvZWj pnoXeWa8UMa4oYze77SXznDcTQxnC7NKsNg3ESl7LLabya73l4ojqiEzF/tybsADFl/6 qJWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=E8LMP+25; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o184si15890511pfb.157.2018.05.07.18.43.09; Mon, 07 May 2018 18:43:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=E8LMP+25; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753659AbeEHBm7 (ORCPT + 99 others); Mon, 7 May 2018 21:42:59 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:41016 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751828AbeEHBm5 (ORCPT ); Mon, 7 May 2018 21:42:57 -0400 Received: by mail-oi0-f68.google.com with SMTP id 11-v6so26946681ois.8; Mon, 07 May 2018 18:42:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bu7tDSeEk0CkJFsPQuFYvfaIm9PYImK3zLzVkK4Wero=; b=E8LMP+25D+mtHS9W5gMwLKr+WYT5dVX1uzHXSuyF64SCdvKPDsqbkh+udMATnhxaT9 WptnRTUlRCDBJI/MLX2285ihk9NW2YyxPoekHXxAndGNRSQ2G0W8jU2ulOqRXGbFrCdH dqqxsloLi+yvBbk50ej7QM71fzqEuBc03c4BE0iBUkGWolP1l623wGxFFv9odfVyDcSM YmmYaThDnCCrZ8xEyGeGWGnfr7Pq7PPyZnqJzAqELbrLw8rB46i4GwQ6XW5zQG6uF0od FUVdKANIu2w8vHs+cIIPzvZ3Y3Rlb97TIolWEc52Ub99FyI9uIh1AmueoDEfiWOyU8Ax p+Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bu7tDSeEk0CkJFsPQuFYvfaIm9PYImK3zLzVkK4Wero=; b=Xu7mAkfRWvy0XYop0zr7/BANtfWpG6kNFKNmzfChQtPzdKErW1rd4+mjawNCEe5RLM EsAIL7JXJCPLqASjubqAKkQYpEADDbHQgNLuwmjfubIujCY3Iya95JQ1/1dz6u831C1K d0XFzlG09cRPvSeQqGT5+x6ymGVv85SBq38823mISatY6gC57VDE89eRK2Bu3jsyqVyA RjRvPcsKj69EVuzWVWioeZtTVN18BpEtMefqPRZKjhvFPYP+LjSyBe8LPOGfMdRwrKbN xY+rrTvNPBcd3uUlG6cBy40lXrJOt0spqRQslGfL2JgNY9I7VMKkeXfQ+rFsRrK0deB7 7wXw== X-Gm-Message-State: ALQs6tAHxTh6x4mrNR3V0BmYtR9yXh5vpnu2DXcDB/XBGOI6tyOOAqE5 2FI2I8OJLLrL1wdkdE2JaLQSjKIxzMc0SYzlZG8= X-Received: by 2002:aca:b985:: with SMTP id j127-v6mr24063659oif.6.1525743777099; Mon, 07 May 2018 18:42:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.201.24.207 with HTTP; Mon, 7 May 2018 18:42:56 -0700 (PDT) In-Reply-To: <1525740413-23443-1-git-send-email-wang6495@umn.edu> References: <1525740413-23443-1-git-send-email-wang6495@umn.edu> From: adam radford Date: Mon, 7 May 2018 18:42:56 -0700 Message-ID: Subject: Re: [PATCH v2] scsi: 3w-9xxx: fix a missing-check bug To: Wenwen Wang Cc: Kangjie Lu , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi , open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 7, 2018 at 5:46 PM, Wenwen Wang wrote: > In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from the > userspace pointer 'argp' and saved to the kernel object 'driver_command'. > Then a security check is performed on the data buffer size indicated by > 'driver_command', which is 'driver_command.buffer_length'. If the security > check is passed, the entire ioctl command is copied again from the 'argp' > pointer and saved to the kernel object 'tw_ioctl'. Then, various operations > are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' > pointer resides in userspace, a malicious userspace process can race to > change the buffer size between the two copies. This way, the user can > bypass the security check and inject invalid data buffer size. This can > cause potential security issues in the following execution. > > This patch checks for capable(CAP_SYS_ADMIN) in twa_chrdev_open()t o avoid > the above issues. > > Signed-off-by: Wenwen Wang > --- > drivers/scsi/3w-9xxx.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c > index b42c9c4..99ba4a7 100644 > --- a/drivers/scsi/3w-9xxx.c > +++ b/drivers/scsi/3w-9xxx.c > @@ -882,6 +882,11 @@ static int twa_chrdev_open(struct inode *inode, struct file *file) > unsigned int minor_number; > int retval = TW_IOCTL_ERROR_OS_ENODEV; > > + if (!capable(CAP_SYS_ADMIN)) { > + retval = -EACCES; > + goto out; > + } > + > minor_number = iminor(inode); > if (minor_number >= twa_device_extension_count) > goto out; > -- > 2.7.4 > Acked-by: Adam Radford