Received: by 10.192.165.148 with SMTP id m20csp3742598imm; Mon, 7 May 2018 18:45:10 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpodMZvf9kq0m7PF4X70VgRYrfz7dFhE4/YLyMcVmX3574ja8gwtmT/HYpGGmP9wOCByQTS X-Received: by 10.98.24.214 with SMTP id 205mr38243958pfy.242.1525743910300; Mon, 07 May 2018 18:45:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525743910; cv=none; d=google.com; s=arc-20160816; b=ym4QRu5CNLal7E9udy3ujGl5/VIv1nY0Iwu3W40WmgA7zshfmLIzjzsLSRYH5IWmZL 39Rb8x9eqxCYgcnpBtPVxnkmeuop9OTPVPuJ9iymt1BcCgTvlj13vsUzgXzMEaugjT8E vUCtgxMe5JR2YFcGW3/q/MjtpLdCdOaJ5TLhX0Q7o5ZxHYVO/UI5GPZJwHnGYn38oNjr CuC+oMhderyE6f2K6QivnHag+Sfvs/hH3sxqORT5U+l52xoLGN7RoL//idXF5YVxI30A WoHE7v3eme+PX/Il8QGzIZZvnaBebCMXPRTdQP2s8NDclqOYxw0hnJzWLGUR2aroVKNZ tN2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=SJLV5lmXE/y4mGm/NVwz1HVYtUACT6y59rMPXZ1uCL8=; b=Gb/88eNPCKBigvfkybdb9Tn2ZddCU73sGHgg/AxwiVqZWaLhm7nxiCQrb6Yw+GPfWk W2g75Zc6OzedSn53tMkoMCpF9vkLkjukMFxn4Ag6A+h8vj7VFoRZujqKZTanl8bewSv1 kiRKoPIbSVcSEUAt2UQ81D+ITK1jHJNGVEf0MhGNDU4EE6cmXM+1ub0gWXyHzC5wmZ6d JtTNHF3iGkvKa80iChjNPdKvvJTi6QT+2w0KGD7f9VPOGCRxMYM0NjGT92gHH/QOvwYF O5vinPPJzl7uWmtGgdUS5yKgjWhuQEH4LXlwu0Jub3wMh5R0yJY+xhFbrSAfdVTKmsfH dQzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=klLPijC5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s5-v6si104125pgo.12.2018.05.07.18.44.55; Mon, 07 May 2018 18:45:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=klLPijC5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753834AbeEHBoU (ORCPT + 99 others); Mon, 7 May 2018 21:44:20 -0400 Received: from mail-ot0-f196.google.com ([74.125.82.196]:45938 "EHLO mail-ot0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753512AbeEHBoT (ORCPT ); Mon, 7 May 2018 21:44:19 -0400 Received: by mail-ot0-f196.google.com with SMTP id 15-v6so19456148otn.12; Mon, 07 May 2018 18:44:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SJLV5lmXE/y4mGm/NVwz1HVYtUACT6y59rMPXZ1uCL8=; b=klLPijC5DHihoWPhjQ48jWw7AHH84RJUBh6JPLkmwWma4P2IJUBiCtP26Wryt2hwcM iKzCal+lEknBYXLdtzK88oBwg383gG7YDhGWnSIs7mcea6Zord47wTz1tcojBw0NOr8E YsErHllMhOLsQforKciJA5lWkpoQJKwhk39G196xSm7DkVPBApSs5mLZgx154YFMg52K KJauwCjtE8MQJMhOk9pJuXtn0j7pcSva2MTIL/5bVo7LKWvEMcTZT6IgbI+LewGEYZkz iBF9CvcqKU58QhuXV6L0i11M2DxsiFvjJYwD0ABP5t4nRYntvkp5rB4mD8SYzGzqwUHp qEBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SJLV5lmXE/y4mGm/NVwz1HVYtUACT6y59rMPXZ1uCL8=; b=M5PQAjnSHDm45noYGrHjj2G7F3WCDyIYejvfLj2VtVoehtov1FBjk9UcOjUz4X8TZ5 TvROCP1mOvulvNTp9n9n/DeT7Fzdc2vGh/45Q/RJEKHYepgxsZ9b5pQ0pUIqO9eKVoj7 qTqwU//+5sA0uHyW8SwbdO1v5oUclDyU3Z84zGLcXgBWQ5pBgcX+d3oeCFxwHF4AAPt4 2yE9dsKh4oUDVtt9k6vMYLur8kY5ephNQIgfckFrkpuP6vfCBYuFF50HhLBq0aGKPdo8 iS1LN63CYZzqgvbXQGyjPo+h6dTdu8AxigZsSrTbrfqbrZngFGYzDViVqlbXexmWuL1A THRw== X-Gm-Message-State: ALQs6tDcD18hCbUfeOhkLBLuQq6nt+mPN0IE+NGeagRJ1SB09BgLtFKT /HaO6alUhMw3T191nLZHEYNrjpsz9IbbR4KgIWo= X-Received: by 2002:a9d:fdd:: with SMTP id m29-v6mr27542246otd.372.1525743858636; Mon, 07 May 2018 18:44:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.201.24.207 with HTTP; Mon, 7 May 2018 18:44:18 -0700 (PDT) In-Reply-To: <1525740850-23737-1-git-send-email-wang6495@umn.edu> References: <1525740850-23737-1-git-send-email-wang6495@umn.edu> From: adam radford Date: Mon, 7 May 2018 18:44:18 -0700 Message-ID: Subject: Re: [PATCH v2] scsi: 3w-xxxx: fix a missing-check bug To: Wenwen Wang Cc: Kangjie Lu , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi , open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 7, 2018 at 5:54 PM, Wenwen Wang wrote: > In tw_chrdev_ioctl(), the length of the data buffer is firstly copied from > the userspace pointer 'argp' and saved to the kernel object > 'data_buffer_length'. Then a security check is performed on it to make sure > that the length is not more than 'TW_MAX_IOCTL_SECTORS * 512'. Otherwise, > an error code -EINVAL is returned. If the security check is passed, the > entire ioctl command is copied again from the 'argp' pointer and saved to > the kernel object 'tw_ioctl'. Then, various operations are performed on > 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in > userspace, a malicious userspace process can race to change the buffer > length between the two copies. This way, the user can bypass the security > check and inject invalid data buffer length. This can cause potential > security issues in the following execution. > > This patch checks for capable(CAP_SYS_ADMIN) in tw_chrdev_open() to avoid > the above issues. > > Signed-off-by: Wenwen Wang > --- > drivers/scsi/3w-xxxx.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c > index 33261b6..f6179e3 100644 > --- a/drivers/scsi/3w-xxxx.c > +++ b/drivers/scsi/3w-xxxx.c > @@ -1033,6 +1033,9 @@ static int tw_chrdev_open(struct inode *inode, struct file *file) > > dprintk(KERN_WARNING "3w-xxxx: tw_ioctl_open()\n"); > > + if (!capable(CAP_SYS_ADMIN)) > + return -EACCES; > + > minor_number = iminor(inode); > if (minor_number >= tw_device_extension_count) > return -ENODEV; > -- > 2.7.4 > Acked-by: Adam Radford