Received: by 10.192.165.148 with SMTP id m20csp3899073imm;
        Mon, 7 May 2018 22:36:03 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrHghs5E18TPtz6bLhM/L6DRTdADXweusGh78QNrJq6046bKFSgJdTEKCr1YFoBCvcidlAJ
X-Received: by 2002:a63:730c:: with SMTP id o12-v6mr31472407pgc.1.1525757763391;
        Mon, 07 May 2018 22:36:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525757763; cv=none;
        d=google.com; s=arc-20160816;
        b=g+/fKROUoHzWZ13/8GTfzGMDn4KI7BzxjJsWucx/BwkTVEtNGocGKKI4CeLZmHglf2
         xPkEqJ/4YZNNHA45wUPGbwzTpGyw4aU5m8sQG7aLhZYElJ7ykBKDR6XlxDY4t92M+iT4
         2YuUl/CRczSCH/AcI4hUYxe0bKr1cOTKFad3Dw784+aMdW+bwSZZqbFQDJbngNPRPdkH
         4vHPvU/ur9TfsBW2N7gpVcL2pRoDpzpsRJefsadIoSII+aLMhq8w7A8UwIXq8qmnBuYG
         WlBpyvu0UUPKEHlqukSA2JaURWxF3dYapfkLC9GaLbh1oc536f9yCB1YxNalHZmQePuw
         grFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :in-reply-to:date:references:organization:from:subject:cc:to
         :dkim-signature:arc-authentication-results;
        bh=QvSCy8QmXMBSYY+LhYJU0yt+ML1ezA7UGygtWIyj50M=;
        b=lIckvH+ZXg3PL1JJpHNoVsKA65IMvkbZmDHn2RSQouP8hLwDGKurmp49FFuGng74Dm
         ZdIP0M9ySA+z37TBK/AXYVosfkp8agvcUvnnEw9jri8z9rfoGpbgw9GH3DLBNl6c4vhQ
         rrX5XRiYq97gycu7rbpW47QEz4bus+YT7OSCEiD/BMG45rBVO602vEGv1Ft5VMXR34wO
         Q/oWV6XcCQEljU9PtyV/OURkKVmKtrv5oPh1Y+u103KyjExUTEIdEgRyZ1VGAFKeEOsP
         nmaFPiL7/7cIM4qY0h6PaqiiT6XvQoJZUEqXkNFsW0jgM5KdClFZ9NTC4BA9cQ6rRH9E
         AgrA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=EZSYre5r;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n8-v6si14076749plp.468.2018.05.07.22.35.48;
        Mon, 07 May 2018 22:36:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=EZSYre5r;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754083AbeEHFeT (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Tue, 8 May 2018 01:34:19 -0400
Received: from aserp2120.oracle.com ([141.146.126.78]:54698 "EHLO
        aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751136AbeEHFeR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 May 2018 01:34:17 -0400
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1])
        by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w485UeIZ185665;
        Tue, 8 May 2018 05:34:14 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=to : cc : subject :
 from : references : date : in-reply-to : message-id : mime-version :
 content-type; s=corp-2017-10-26;
 bh=QvSCy8QmXMBSYY+LhYJU0yt+ML1ezA7UGygtWIyj50M=;
 b=EZSYre5rd3gcRxfGimC9IZ6PP0NncNPi/OXe0XwLGT23nTFlPKaYbekEuRHx9W8DetWn
 uGUFlEwu8ALZZ+W6b7AVzaHir6eVtJXZ1MPweuTEpHO1zf3zeBLXOgHf1PyyhAKptZV9
 qe3i1Jzo+tpbAl6OQzyeka+f7VeOCcev4e5WeZRqkgryitKlbX153Hpl/xWiZzCE7ZIz
 v2gy6dDTpYcjlrnnCVdUonia66CjSSDptYCt/nZpv93IqU50dul1Dcm3AW0lxAy+hRuc
 VfaD/HhKlIOuxSbSx5wLrV950tEZqqBKfsnXqJ42eSzOo+WKl9EqlGNxBqUvqjT/el/z Hw== 
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])
        by aserp2120.oracle.com with ESMTP id 2hs4k26vm7-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 08 May 2018 05:34:14 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
        by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w485YDOF009598
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 8 May 2018 05:34:13 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15])
        by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w485YC4E012960;
        Tue, 8 May 2018 05:34:13 GMT
Received: from ca-mkp.ca.oracle.com (/10.159.214.123)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Mon, 07 May 2018 22:34:12 -0700
To:     Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>, Adam Radford <aradford@gmail.com>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org,
        linux-kernel@vger.kernel.org (open list)
Subject: Re: [PATCH v2] scsi: 3w-9xxx: fix a missing-check bug
From:   "Martin K. Petersen" <martin.petersen@oracle.com>
Organization: Oracle Corporation
References: <1525740413-23443-1-git-send-email-wang6495@umn.edu>
Date:   Tue, 08 May 2018 01:34:10 -0400
In-Reply-To: <1525740413-23443-1-git-send-email-wang6495@umn.edu> (Wenwen
        Wang's message of "Mon, 7 May 2018 19:46:43 -0500")
Message-ID: <yq1muxaww19.fsf@oracle.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8886 signatures=668698
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=752
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1711220000 definitions=main-1805080054
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


Wenwen,

> In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from the
> userspace pointer 'argp' and saved to the kernel object 'driver_command'.
> Then a security check is performed on the data buffer size indicated by
> 'driver_command', which is 'driver_command.buffer_length'. If the security
> check is passed, the entire ioctl command is copied again from the 'argp'
> pointer and saved to the kernel object 'tw_ioctl'. Then, various operations
> are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp'
> pointer resides in userspace, a malicious userspace process can race to
> change the buffer size between the two copies. This way, the user can
> bypass the security check and inject invalid data buffer size. This can
> cause potential security issues in the following execution.
>
> This patch checks for capable(CAP_SYS_ADMIN) in twa_chrdev_open()t o avoid
> the above issues.

Applied patch 1 + 2 to 4.18/scsi-queue. Thank you.

-- 
Martin K. Petersen	Oracle Linux Engineering