Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp5008289imm; Fri, 18 May 2018 14:49:54 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqGhaDS/WIcKDGHngGlpbiUkjuYsxeyB8sqggVEhcoGRQKM9lCDEu1a9aiDR5kl8ADydHBx X-Received: by 2002:a63:af19:: with SMTP id w25-v6mr5514077pge.247.1526680194869; Fri, 18 May 2018 14:49:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526680194; cv=none; d=google.com; s=arc-20160816; b=Bb1fSQEqfs+/USLT1uQpYF9Pm0M+0C/QVByaqDRDL5UyYmfKi5e0SHnMO2TfyY8My9 HzB1B5n3V+B9WUSP4euufhMfPUpadi8pSny5L1G/CPnw2Zadhm1rVVxgcnF5PNnb7bgm Ag6jVuQQ4DaEolExdWM0EKprLanCKxxR6kBYtZ0eKJqX9VHrZksfk00tnaV64cRhn35D H8oxTjyGFvTd0WmApLkIbZOB7ZkoAE+l82sZISdRmAnfZOriqCIjB9PybmdWBGxaWEcr CFUTm1dTujiFagBFlj92s2zX9S5SHyYFNc0WbnIAsUyHkSSQfY3mMzwe0Q9cjS4xDFM/ ePWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=DIVSg/ZIVgJo0Jq7pc8gVqOeDidgxaHtsHMJfxT7Njk=; b=rDQFlqIQy3eQJocIRjWK3GsbpD6P9/AZNtp8pyECM0VcwWa57mifDayfThjFiNKbJ2 NQ07PiqdIqAKfrY7iqIR0atKa1w4YZI6UqREBC8PRrdClFk9uRmMl0F0eHeFIjzVlY7o p3JuF1MQsz6rNHJQb5DimHZPTvRdqXlO8glZ6CpJSEA9oQ8elqY1UNoOpedWdsBW+l/k pJ6UwZoEgsbkThZ0ziKOGUDEeaPRU67Z08SPBWuj3jw4NDhkpZAlXs/qpcUMN9UDKPId BCmk/klmnHFVBOhChKnC4fLqHoHezLwVikR2fUeHyeWe+YNVpqrZC+XLlRSnGFzzMuXY 3Mfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=hfVAgi4K; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s13-v6si7861316plq.464.2018.05.18.14.49.40; Fri, 18 May 2018 14:49:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=hfVAgi4K; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751805AbeERVt3 (ORCPT + 99 others); Fri, 18 May 2018 17:49:29 -0400 Received: from mta-p1.oit.umn.edu ([134.84.196.201]:53110 "EHLO mta-p1.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751009AbeERVt2 (ORCPT ); Fri, 18 May 2018 17:49:28 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p1.oit.umn.edu (Postfix) with ESMTP id 5DA3D259; Fri, 18 May 2018 21:49:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:references:in-reply-to:received:mime-version:received :received:received; s=20160920; t=1526680167; x=1528494568; bh=s 3aocEu/FJizvuj88tOZ0pSr1JI9gJmkokO0BaALoCY=; b=hfVAgi4Kt8bIxrq/s 6F1lt2Qw2mXvyvMC6RtjAxezB8g0j/ZrNV3IKWGlkT4mKufyNuLzO+SISWFTcxoq cs+GlLkLya/h0XXpKGPy4mXkfZAJtP6WYAGsYIgylLDU5N43qPhl5tTxcgT4S3FA 5m/jOQzFlxwcoGyZqoKaQ4YKvHnPHEexoYnLTV4ymNhjDwxF2w/xpBe7vNBgrjir jXPv1AF0QG0Ratjvdeoe5uHcizYkrFZ9NJaw05RSq7F4WPnKMEMk7IEZqQxnI4XJ nGchTwNmbeqDIHJweysBHmzlxLxfQvm8HPqe1wNc3EXbpgDsJRX19dAE4gdKfiJD KVs5w== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p1.oit.umn.edu ([127.0.0.1]) by localhost (mta-p1.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oRahdmodx_h4; Fri, 18 May 2018 16:49:27 -0500 (CDT) Received: from mail-it0-f42.google.com (mail-it0-f42.google.com [209.85.214.42]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p1.oit.umn.edu (Postfix) with ESMTPSA id 30A90284; Fri, 18 May 2018 16:49:27 -0500 (CDT) Received: by mail-it0-f42.google.com with SMTP id y189-v6so14877305itb.2; Fri, 18 May 2018 14:49:27 -0700 (PDT) X-Gm-Message-State: ALKqPwcgxjMPuHFDZ5GeezZ/UFwihkfo7v9ofz29iY4ZcXZeyOChXAs/ C86a+2oEHomVEh0sEd8mZ9dnir09UmsundFHDUM= X-Received: by 2002:a24:25d0:: with SMTP id g199-v6mr9227646itg.26.1526680166950; Fri, 18 May 2018 14:49:26 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:9850:0:0:0:0:0 with HTTP; Fri, 18 May 2018 14:48:46 -0700 (PDT) In-Reply-To: References: <1525576895-15708-1-git-send-email-wang6495@umn.edu> From: Wenwen Wang Date: Fri, 18 May 2018 16:48:46 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] scsi: sg: fix a missing-check bug To: dgilbert@interlog.com Cc: Kangjie Lu , "James E.J. Bottomley" , "Martin K. Petersen" , "open list:SCSI SG DRIVER" , open list , Wenwen Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 7, 2018 at 12:13 AM, Douglas Gilbert wrote: > On 2018-05-05 11:21 PM, Wenwen Wang wrote: >> >> In sg_write(), the opcode of the command is firstly copied from the >> userspace pointer 'buf' and saved to the kernel variable 'opcode', using >> the __get_user() function. The size of the command, i.e., 'cmd_size' is >> then calculated based on the 'opcode'. After that, the whole command, >> including the opcode, is copied again from 'buf' using the >> __copy_from_user() function and saved to 'cmnd'. Finally, the function >> sg_common_write() is invoked to process 'cmnd'. Given that the 'buf' >> pointer resides in userspace, a malicious userspace process can race to >> change the opcode of the command between the two copies. That means, the >> opcode indicated by the variable 'opcode' could be different from the >> opcode in 'cmnd'. This can cause inconsistent data in 'cmnd' and >> potential logical errors in the function sg_common_write(), as it needs to >> work on 'cmnd'. >> >> This patch reuses the opcode obtained in the first copy and only copies >> the >> remaining part of the command from userspace. >> >> Signed-off-by: Wenwen Wang >> --- >> drivers/scsi/sg.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c >> index c198b963..0ad8106 100644 >> --- a/drivers/scsi/sg.c >> +++ b/drivers/scsi/sg.c >> @@ -657,7 +657,8 @@ sg_write(struct file *filp, const char __user *buf, >> size_t count, loff_t * ppos) >> hp->flags = input_size; /* structure abuse ... */ >> hp->pack_id = old_hdr.pack_id; >> hp->usr_ptr = NULL; >> - if (__copy_from_user(cmnd, buf, cmd_size)) >> + cmnd[0] = opcode; >> + if (__copy_from_user(cmnd + 1, buf + 1, cmd_size - 1)) >> return -EFAULT; >> /* >> * SG_DXFER_TO_FROM_DEV is functionally equivalent to >> SG_DXFER_FROM_DEV, >> > > That is in the deprecated "v2" part of the sg driver (for around 15 years). > There are lots more interesting races with that interface than that one > described above. My guess is that all system calls would be susceptible > to playing around with a buffer being passed to or from the OS by a thread > other than the one doing the system call, during that call. Surely no Unix > like OS gives any security guarantees to a thread being attacked by a > malevolent thread in the same process! > > My question is did this actually cause to program to fail; or is it > something > that a sanity checker flagged? This is detected by a static analysis tool. But, based on our manual investigation, it can cause program failure. So it is better to fix it. > > Also wouldn't it be better just to return an error such as EINVAL if > opcode != command[0] ? I can revise this patch to return EINVAL if the opcode is not as expected, and resubmit it. Thanks! Wenwen