Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1111173imm;
        Wed, 1 Aug 2018 10:21:36 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpdBSx4dFxxG87DX81zeFk0ECJuojLQSO1ELfsePnAT713r8x9NwcATkKwTrj4okOsDV6Eoq
X-Received: by 2002:a63:1844:: with SMTP id 4-v6mr25949477pgy.313.1533144096825;
        Wed, 01 Aug 2018 10:21:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1533144096; cv=none;
        d=google.com; s=arc-20160816;
        b=chgM8ACqw351vRAt8e/kqXUNjYP77LLFqZ1fr7NVWz5kCbY7HTh2XPPC0tT1t3fQpH
         OOz0CtfUd7/jd7QR+UMXKU5pbNoahvzGPLkkyHGUc6cxC1Ov+o8FRoXmmb07u+QnsVKn
         vsK+/9Ia527KCdCm5zOyX2WvnvxX/VRySyUwKYXuJH7vWAOd5Ke6DoE9FtJvpov2hrsj
         vL5So90qtgIZCNo7S6wakl/Q1IKM7piFADnZybqXz/E8jR63ZKwsYn9L6XDgBk9E6zYG
         6iGzY63xuPHAq/CEON1/fHqZ9MbbvVAKBodk+oWMu7zRhAhGnvmkOrEH8zcAUdn8/B69
         xzRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=gZhw5Ej2l0GeAD+lajyyTTeeyJNzYzHTxDQF/1TY4KA=;
        b=Ai4Ygz1NjRt8Zx4xq0FWqAgwM1y3ZVR30d0sTjUBRWZxJ/LFII9C2FgkHB7d2Dw5SG
         YaphpVcIgDaiUsXqGKKpb3s9AG8zzy4epCDg3596mFCpMw7FfgcMzSVzje7cP3SryZrq
         df3L3mshXLwzCGEk3H9TUuPWMUniPAwWu7iRQjRqw5mqCLPI8mpJEAKQlAP3lTUDm7YY
         WvUY2KIEPk++5Atf7Mew1hGkSmOaoKadhPovAe6TCB/XaW18TJA0kULPK2+w3icAYOGT
         dMn3jD+NReg2UzReZSd7tBKZ2/pTU8XMHhYuGmkhOGPP2dS4OLcpgXKW+898+uey5oNH
         qBCA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d11-v6si16118444plr.261.2018.08.01.10.21.22;
        Wed, 01 Aug 2018 10:21:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2405263AbeHATG2 (ORCPT <rfc822;krseo358@gmail.com> + 99 others);
        Wed, 1 Aug 2018 15:06:28 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:48556 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2403884AbeHATG1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Aug 2018 15:06:27 -0400
Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 3CAA7CC3;
        Wed,  1 Aug 2018 17:19:46 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Wenwen Wang <wang6495@umn.edu>,
        Adam Radford <aradford@gmail.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 161/246] scsi: 3w-xxxx: fix a missing-check bug
Date:   Wed,  1 Aug 2018 18:51:11 +0200
Message-Id: <20180801165019.445017425@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180801165011.700991984@linuxfoundation.org>
References: <20180801165011.700991984@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wang6495@umn.edu>

[ Upstream commit 9899e4d3523faaef17c67141aa80ff2088f17871 ]

In tw_chrdev_ioctl(), the length of the data buffer is firstly copied
from the userspace pointer 'argp' and saved to the kernel object
'data_buffer_length'. Then a security check is performed on it to make
sure that the length is not more than 'TW_MAX_IOCTL_SECTORS *
512'. Otherwise, an error code -EINVAL is returned. If the security
check is passed, the entire ioctl command is copied again from the
'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various
operations are performed on 'tw_ioctl' according to the 'cmd'. Given
that the 'argp' pointer resides in userspace, a malicious userspace
process can race to change the buffer length between the two
copies. This way, the user can bypass the security check and inject
invalid data buffer length. This can cause potential security issues in
the following execution.

This patch checks for capable(CAP_SYS_ADMIN) in tw_chrdev_open() to
avoid the above issues.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Acked-by: Adam Radford <aradford@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/3w-xxxx.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/scsi/3w-xxxx.c
+++ b/drivers/scsi/3w-xxxx.c
@@ -1033,6 +1033,9 @@ static int tw_chrdev_open(struct inode *
 
 	dprintk(KERN_WARNING "3w-xxxx: tw_ioctl_open()\n");
 
+	if (!capable(CAP_SYS_ADMIN))
+		return -EACCES;
+
 	minor_number = iminor(inode);
 	if (minor_number >= tw_device_extension_count)
 		return -ENODEV;