Received: by 10.192.165.148 with SMTP id m20csp5106765imm; Tue, 8 May 2018 22:30:16 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpyjDw/E33Q9B+eJwZF4hlBpHZ7GM/NFajmbiO4xEjGXDoTlrtqn6kfoX+f9dX0PB/aOcTm X-Received: by 2002:a17:902:8a82:: with SMTP id p2-v6mr9738683plo.244.1525843816755; Tue, 08 May 2018 22:30:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525843815; cv=none; d=google.com; s=arc-20160816; b=IrHjN6Zr2Y8+98+sHKL6X87YIe7qUQmf0eZrF7s+LIqmy/M+qovOO+EEgY1UlGorOv QNXRI/+DDwdbvTW9rXQgi5vxONAUfrDGjrAh9V5GLIZHIwH2FLc0zV1MCGxWw7h9FkpI 0ngAyjFQw9v6wSYW5S+h1kyH253Ggt1GBFS4408Es4XpmdAgIc28Ns2En+N8/caBIVV1 vMMXitjn8SEMu9GuribUSY4SntpRxzasm/cWtKg6L+m1npThDTZKu4+mu4u4oadWu0zb Gq4VG3PvNfdytdMbIFQjahiv6jicKCOvVzjaSzW6iqLeSsBT6zrQtjQZDqoAOQjxqT0F zljQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=urIat8skMZvw7WfRjCgo80qRlbC28qYM3uKnzpSHKHA=; b=wE293b+xvb1OZ+pc+uhrZsl4lH67UdXT9IrU/Gw07lcaLScpZi5dIDM78C97BKoBDH ye+bVwFk96d87hHUSlMp5CFFJSwfTDSlz5k/Ic+hNXissfxbtYURP/RgaFKCpwL7wpWT rt02/ZOScsPlytm19RyeoZy68wV+P3TQNhRs13+ZQWwyDdLoHJCDbJZkXEUsjVapSPzK RL/wIAmyHYXcueovDdJMZRVFuy0TMSX7s/IcnuRvBuLS3S2d+o+VB814qCBXTKJew2lY 4+7tsCucCRHfTT/ZBxPlk/B1w/adO5cTihsWpylAhHscdBABqDhai+W1+foYTILl8Ni1 oY3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=JrEspyqj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j84si26010960pfk.203.2018.05.08.22.30.01; Tue, 08 May 2018 22:30:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=JrEspyqj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933712AbeEIF3g (ORCPT + 99 others); Wed, 9 May 2018 01:29:36 -0400 Received: from mta-p4.oit.umn.edu ([134.84.196.204]:52776 "EHLO mta-p4.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933457AbeEIF3f (ORCPT ); Wed, 9 May 2018 01:29:35 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p4.oit.umn.edu (Postfix) with ESMTP id E734C77E; Wed, 9 May 2018 05:29:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:references:in-reply-to:received:mime-version:received :received:received; s=20160920; t=1525843773; x=1527658174; bh=+ uauGW4vur8jx0m9LetjV4NJxm8BxA0GuvOTBdU2PoU=; b=JrEspyqjXWX0unFa/ F1E52vHwt5WIgrhcBrGRuAbBb01EB0cTBH8W+r9978s4OoWBXKkQnjVaC0prphuz ADnvQdYJ3xH2if8FjkVAeZAxc7lqjHQ/8Q2Nk0B5NG10X1SIVlw3Xwrsz3GGUwIw 5xCEZSBJKgx+qYugJtERyB4wQ+/A1qMTcwcSHodEURVItS8nk5eQpgJQu9sIRX9Z ffIDTJOKPGQPH0IHgfb9DiH/LuSRm18iCZ+BHhLUTW46C5VpzspIUe5xZ7vohi1D 6OsXBEtaqRjYgpHbEOK9bHGhQ2CIWAYbhJlbtndVdKwYiwyv2RXYtElIjNTdmFff LlTPA== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p4.oit.umn.edu ([127.0.0.1]) by localhost (mta-p4.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oGxkTC3ImsR9; Wed, 9 May 2018 00:29:33 -0500 (CDT) Received: from mail-it0-f51.google.com (mail-it0-f51.google.com [209.85.214.51]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p4.oit.umn.edu (Postfix) with ESMTPSA id C320E1ED; Wed, 9 May 2018 00:29:33 -0500 (CDT) Received: by mail-it0-f51.google.com with SMTP id c3-v6so19106033itj.4; Tue, 08 May 2018 22:29:33 -0700 (PDT) X-Gm-Message-State: ALKqPwet0+r2mqUBJGzJWg4OPnOhAPMP8gTR89vxsC24LvQTas+4ksmI m1CT8JVQEdFvd1Y5v+M19pRWVr1WFKoR3VJoWfU= X-Received: by 2002:a24:9588:: with SMTP id m130-v6mr6554532itd.58.1525843773547; Tue, 08 May 2018 22:29:33 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:44c:0:0:0:0:0 with HTTP; Tue, 8 May 2018 22:28:53 -0700 (PDT) In-Reply-To: <1525501896-8235-1-git-send-email-wang6495@umn.edu> References: <1525501896-8235-1-git-send-email-wang6495@umn.edu> From: Wenwen Wang Date: Wed, 9 May 2018 00:28:53 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] scsi: mpt3sas: fix a missing-check bug To: Wenwen Wang Cc: Kangjie Lu , Sathya Prakash , Chaitra P B , Suganath Prabu Subramani , "James E.J. Bottomley" , "Martin K. Petersen" , "open list:LSILOGIC MPT FUSION DRIVERS (FC/SAS/SPI)" , "open list:LSILOGIC MPT FUSION DRIVERS (FC/SAS/SPI)" , open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Could you please review this patch? We need a confirmation because we are working on an approaching deadline. Thanks! Wenwen On Sat, May 5, 2018 at 1:31 AM, Wenwen Wang wrote: > In _ctl_ioctl_main(), 'ioctl_header' is first copied from the userspace > pointer 'arg'. 'ioctl_header.ioc_number' is then verified by > _ctl_verify_adapter(). If the verification is failed, an error code -ENODEV > is returned. Otherwise, the verification result, i.e., the MPT3SAS adapter > that matches with the 'ioctl_header.ioc_number', is saved to 'ioc'. Later > on, if the 'cmd' is MPT3COMMAND, the whole ioctl command struct is copied > again from the userspace pointer 'arg' and saved to 'karg'. Then the > function _ctl_do_mpt_command() is invoked to execute the command with the > adapter 'ioc' and 'karg' as inputs. > > Given that the pointer 'arg' resides in userspace, a malicious userspace > process can race to change the 'ioc_number' between the two copies, which > will cause inconsistency issues, potentially security issues since an > inconsistent adapter could be used with the command struct 'karg' as inputs > of _ctl_do_mpt_command(). Moreover, the user can potentially provide a > valid 'ioc_number' to pass the verification, and then modify it to an > invalid 'ioc_number'. That means, an invalid 'ioc_number' can potentially > bypass the verification check. > > To fix this issue, we need to recheck the 'ioc_number' copied after the > second copy to make sure it is not changed since the first copy. > > Signed-off-by: Wenwen Wang > --- > drivers/scsi/mpt3sas/mpt3sas_ctl.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c > index d3cb387..0c140c7 100644 > --- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c > +++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c > @@ -2388,6 +2388,11 @@ _ctl_ioctl_main(struct file *file, unsigned int cmd, void __user *arg, > break; > } > > + if (karg.hdr.ioc_number != ioctl_header.ioc_number) { > + ret = -EINVAL; > + break; > + } > + > if (_IOC_SIZE(cmd) == sizeof(struct mpt3_ioctl_command)) { > uarg = arg; > ret = _ctl_do_mpt_command(ioc, karg, &uarg->mf); > -- > 2.7.4 >