Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1112278imm;
        Wed, 1 Aug 2018 10:22:44 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpe2r7pp0S2eQOBnyU0Jd7/+Vhbn1NN2dZEVDJ5bmCbZaGUIKQG94rV9mDmSEEySBOPKjjwB
X-Received: by 2002:a65:6411:: with SMTP id a17-v6mr24992292pgv.287.1533144164823;
        Wed, 01 Aug 2018 10:22:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1533144164; cv=none;
        d=google.com; s=arc-20160816;
        b=NBfX28F37b69IMeDkPiwqFYRaLVWkYsyKeNutvvyN+OZKajDnWepHjw3VNhA8i2nob
         IgR8KPLR6OBOCHrOcdC9ZzejUiRzr1mLVXHjuYxvXrWFUe3bPP1stBHkezIvn5loO/6t
         ro+5Hexa5g9gaiNE1CWqfWm/tmFjx7U4jSAzU4+p6lEEN5GiMsHs/t3hUMKjyqwLfXiu
         CeC0M/nMBTy3/axumgONUxvcHmaXxWLqqeEgaSxSKrGgJQkoFVVdtCFL97ZSRNftIQ+f
         pI49XxnxAt/QmEc6pDzGAT91s6CQcjABVfesaej9Uv/VuLsDGudr5P4gh/NJ1XbthEBE
         0amA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=oKAKDl47juj6Rb9+HkqBPHkpGuQxAD9UUqy24GtqISk=;
        b=1A+JhIE3aalsbjrU5MMwT5rjZkWiid1oVjMqw/hZtZFDu1Hu454yMCTho0UoVjle1c
         wHQo94zJjpu8P62N+w5cyqnOjbgTHodkMLZi0Cch7ieQUeLLI3uw99knqbVamqev1Qmd
         oXFEycqkT2hAVt5D6JnGDDyAzWFH0SyWtWpvau1/WCa+mMZRKu/C21ReBulbprk5LxS7
         iIkYYbQ4WHz25a8qLO1CK0qve96cKqIk3b5pjpHukSOsk3rVqwLYz0spwko28dA6K2ms
         WuC2HwP8FvhN7TYNjtAwnrURN6WMJm6/bLeZyWghPIoOte1Wk1t+WmRedSqa+5ZO0El4
         y2mg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w61-v6si15212846plb.502.2018.08.01.10.22.30;
        Wed, 01 Aug 2018 10:22:44 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2405252AbeHATGZ (ORCPT <rfc822;krseo358@gmail.com> + 99 others);
        Wed, 1 Aug 2018 15:06:25 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:48452 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2403884AbeHATGY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Aug 2018 15:06:24 -0400
Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 4D6EECC3;
        Wed,  1 Aug 2018 17:19:43 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Wenwen Wang <wang6495@umn.edu>,
        Adam Radford <aradford@gmail.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 160/246] scsi: 3w-9xxx: fix a missing-check bug
Date:   Wed,  1 Aug 2018 18:51:10 +0200
Message-Id: <20180801165019.403168318@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180801165011.700991984@linuxfoundation.org>
References: <20180801165011.700991984@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wang6495@umn.edu>

[ Upstream commit c9318a3e0218bc9dacc25be46b9eec363259536f ]

In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from
the userspace pointer 'argp' and saved to the kernel object
'driver_command'.  Then a security check is performed on the data buffer
size indicated by 'driver_command', which is
'driver_command.buffer_length'. If the security check is passed, the
entire ioctl command is copied again from the 'argp' pointer and saved
to the kernel object 'tw_ioctl'. Then, various operations are performed
on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer
resides in userspace, a malicious userspace process can race to change
the buffer size between the two copies. This way, the user can bypass
the security check and inject invalid data buffer size. This can cause
potential security issues in the following execution.

This patch checks for capable(CAP_SYS_ADMIN) in twa_chrdev_open()t o
avoid the above issues.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Acked-by: Adam Radford <aradford@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/3w-9xxx.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/scsi/3w-9xxx.c
+++ b/drivers/scsi/3w-9xxx.c
@@ -886,6 +886,11 @@ static int twa_chrdev_open(struct inode
 	unsigned int minor_number;
 	int retval = TW_IOCTL_ERROR_OS_ENODEV;
 
+	if (!capable(CAP_SYS_ADMIN)) {
+		retval = -EACCES;
+		goto out;
+	}
+
 	minor_number = iminor(inode);
 	if (minor_number >= twa_device_extension_count)
 		goto out;