Received: by 10.192.165.148 with SMTP id m20csp3741434imm;
        Mon, 7 May 2018 18:43:23 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqq3BPhMvXbVGLpCM2jfOOWhqi51dVW7RrDseE6OmFyaY5uKVSAdL5G3OaHA2HdQZEELnSs
X-Received: by 2002:a17:902:8d81:: with SMTP id v1-v6mr38271909plo.383.1525743803693;
        Mon, 07 May 2018 18:43:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525743803; cv=none;
        d=google.com; s=arc-20160816;
        b=F7GhT+NGq8i/Xpv9FJQRuWB0bLV2jC2EH9NoZj7vpgfgrNGzVyX+5uEcT8YJ3Hh8qp
         lJh2pQ5+Hvhg29ShCQbcCDCuL6ETrWYadYbuKXKmxI40e7qRCxnVCw6zr1N0MguuAjxv
         c6FTHzcLCitAa/JM7n/qXrJISMhTdmh2uKmzzlKysUU1I+G9ZxVE+hSbdcFTt/BN7Tnm
         LTT0QU+wRR2Gbdyj/LD0OpWdhqzZej7mBZCj/dEybsU/5SqZUEkrRxWSPbCM6iu98KKO
         v0iZtT8eY0shxYXcJwM02BwlvLfsu105ghUfdZLytaDArXeni73lzIovDhEvGj1H1Gzl
         ZiJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=bu7tDSeEk0CkJFsPQuFYvfaIm9PYImK3zLzVkK4Wero=;
        b=zu5xIVfZNRHq0jWHN57B30gafVRJJCmT4XQoCPY3H7y5sXlcmAqqCSDe4xAaEix+Zf
         NjXrLsXgj9KEv6NcFDvk8gL8pkrCU07GJHqFY9PfFv5H3Vq8Sgvf/lQFzgrnBSaBJSfi
         GF3bcRRzvbPT1rIU6oXFFr2gyizOYycM7Zb32UU1SPHeKGgUOGNHkQ6z6IwxG9r2oLcL
         Y+j1eundVGc4l9y4ON/TpORA+NrpcZTNOPHkXmNLSSJZ9L1vrU36JYn3JzEbdH3bvZWj
         pnoXeWa8UMa4oYze77SXznDcTQxnC7NKsNg3ESl7LLabya73l4ojqiEzF/tybsADFl/6
         qJWg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=E8LMP+25;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o184si15890511pfb.157.2018.05.07.18.43.09;
        Mon, 07 May 2018 18:43:23 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=E8LMP+25;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753659AbeEHBm7 (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Mon, 7 May 2018 21:42:59 -0400
Received: from mail-oi0-f68.google.com ([209.85.218.68]:41016 "EHLO
        mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751828AbeEHBm5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 May 2018 21:42:57 -0400
Received: by mail-oi0-f68.google.com with SMTP id 11-v6so26946681ois.8;
        Mon, 07 May 2018 18:42:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=bu7tDSeEk0CkJFsPQuFYvfaIm9PYImK3zLzVkK4Wero=;
        b=E8LMP+25D+mtHS9W5gMwLKr+WYT5dVX1uzHXSuyF64SCdvKPDsqbkh+udMATnhxaT9
         WptnRTUlRCDBJI/MLX2285ihk9NW2YyxPoekHXxAndGNRSQ2G0W8jU2ulOqRXGbFrCdH
         dqqxsloLi+yvBbk50ej7QM71fzqEuBc03c4BE0iBUkGWolP1l623wGxFFv9odfVyDcSM
         YmmYaThDnCCrZ8xEyGeGWGnfr7Pq7PPyZnqJzAqELbrLw8rB46i4GwQ6XW5zQG6uF0od
         FUVdKANIu2w8vHs+cIIPzvZ3Y3Rlb97TIolWEc52Ub99FyI9uIh1AmueoDEfiWOyU8Ax
         p+Ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=bu7tDSeEk0CkJFsPQuFYvfaIm9PYImK3zLzVkK4Wero=;
        b=Xu7mAkfRWvy0XYop0zr7/BANtfWpG6kNFKNmzfChQtPzdKErW1rd4+mjawNCEe5RLM
         EsAIL7JXJCPLqASjubqAKkQYpEADDbHQgNLuwmjfubIujCY3Iya95JQ1/1dz6u831C1K
         d0XFzlG09cRPvSeQqGT5+x6ymGVv85SBq38823mISatY6gC57VDE89eRK2Bu3jsyqVyA
         RjRvPcsKj69EVuzWVWioeZtTVN18BpEtMefqPRZKjhvFPYP+LjSyBe8LPOGfMdRwrKbN
         xY+rrTvNPBcd3uUlG6cBy40lXrJOt0spqRQslGfL2JgNY9I7VMKkeXfQ+rFsRrK0deB7
         7wXw==
X-Gm-Message-State: ALQs6tAHxTh6x4mrNR3V0BmYtR9yXh5vpnu2DXcDB/XBGOI6tyOOAqE5
        2FI2I8OJLLrL1wdkdE2JaLQSjKIxzMc0SYzlZG8=
X-Received: by 2002:aca:b985:: with SMTP id j127-v6mr24063659oif.6.1525743777099;
 Mon, 07 May 2018 18:42:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.24.207 with HTTP; Mon, 7 May 2018 18:42:56 -0700 (PDT)
In-Reply-To: <1525740413-23443-1-git-send-email-wang6495@umn.edu>
References: <1525740413-23443-1-git-send-email-wang6495@umn.edu>
From:   adam radford <aradford@gmail.com>
Date:   Mon, 7 May 2018 18:42:56 -0700
Message-ID: <CAHtARFEbjf90Es-e7_Uh0k2Mb6pMNknAtS5SE5iFs3Zizd8TAQ@mail.gmail.com>
Subject: Re: [PATCH v2] scsi: 3w-9xxx: fix a missing-check bug
To:     Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi <linux-scsi@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, May 7, 2018 at 5:46 PM, Wenwen Wang <wang6495@umn.edu> wrote:
> In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from the
> userspace pointer 'argp' and saved to the kernel object 'driver_command'.
> Then a security check is performed on the data buffer size indicated by
> 'driver_command', which is 'driver_command.buffer_length'. If the security
> check is passed, the entire ioctl command is copied again from the 'argp'
> pointer and saved to the kernel object 'tw_ioctl'. Then, various operations
> are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp'
> pointer resides in userspace, a malicious userspace process can race to
> change the buffer size between the two copies. This way, the user can
> bypass the security check and inject invalid data buffer size. This can
> cause potential security issues in the following execution.
>
> This patch checks for capable(CAP_SYS_ADMIN) in twa_chrdev_open()t o avoid
> the above issues.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
>  drivers/scsi/3w-9xxx.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c
> index b42c9c4..99ba4a7 100644
> --- a/drivers/scsi/3w-9xxx.c
> +++ b/drivers/scsi/3w-9xxx.c
> @@ -882,6 +882,11 @@ static int twa_chrdev_open(struct inode *inode, struct file *file)
>         unsigned int minor_number;
>         int retval = TW_IOCTL_ERROR_OS_ENODEV;
>
> +       if (!capable(CAP_SYS_ADMIN)) {
> +               retval = -EACCES;
> +               goto out;
> +       }
> +
>         minor_number = iminor(inode);
>         if (minor_number >= twa_device_extension_count)
>                 goto out;
> --
> 2.7.4
>

Acked-by: Adam Radford <aradford@gmail.com>