Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1379709imm;
        Sat, 4 Aug 2018 02:11:26 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpd/ydFlApkmHppjXSonq99fRlIJadO8zZuiLyIggjBsql3SPIQDDxisxAkZWA34KQSVeZtR
X-Received: by 2002:a62:455b:: with SMTP id s88-v6mr8272191pfa.203.1533373885983;
        Sat, 04 Aug 2018 02:11:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1533373885; cv=none;
        d=google.com; s=arc-20160816;
        b=pRlY2T9jqDJTupegdv5gAx69NDinWHBCc78tOCX+eew6Yg19ADFCPKHtU3U5Ncxqau
         flRYb+BQjJBlI1zjYZdL0M+YNCZ4vZcDfWFCXvEJvsd+d3Cwb+ssmE4qwYcoEGNKu2al
         VapNC+vCS39lzMDoMdytaIuusOHmJJrJ+yR3pXfwnHk8IgdJEPJ4vWYfJzg/yuKBQLRV
         ID0mlp062HM7uQg4rZCIjtEPqasGxgE+TksayHwi3BewzWv2T859jHU9HgkxH0zGSaL6
         +pLijupkrw3keH5fl9saYgCKGZ4zOOanJxP/ndjs2vCgUyS1mJeSnX7X0lyf/NeOpdws
         ItAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=gHtv/INJReyjmjgIfINdu2cskdYscxT5qP1ulNm5s48=;
        b=psaHC6i5Ptq3eFUe3NQWwtH2lJ7q4zo7cOY4A1C7Cg/OdkBeoWYUlenw57UG3Ne3VZ
         +DIeDNRyslzvYwWlRxsSZ0jTVnmN1F7nLZ+GAkEl8jyiZwh/ePuj6jV29qLvXVGQ5aPF
         wuJnzkVje5ekSllu24hS1TCm7F8zDztkd58HzYkM2wITX+SDl/Tvg6iwmRyb7O609v1s
         XdTDu05yr9hr4sXiQDTKxd8G+/50q2vldTo9sWtD6gLBbkgcFPnjWrDT+0iQJpdF86If
         EDLumrKvny1QFEYFStO0Ca2KlqgR4n3uzDHW0Tm4sac2MupKyPGs7Cze83Yetp523SOE
         Pa4Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v129-v6si8255437pfv.278.2018.08.04.02.11.11;
        Sat, 04 Aug 2018 02:11:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388869AbeHDLKD (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Sat, 4 Aug 2018 07:10:03 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:49928 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732962AbeHDLKD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 4 Aug 2018 07:10:03 -0400
Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 2CD1389C;
        Sat,  4 Aug 2018 09:10:03 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Wenwen Wang <wang6495@umn.edu>,
        Adam Radford <aradford@gmail.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.4 074/124] scsi: 3w-xxxx: fix a missing-check bug
Date:   Sat,  4 Aug 2018 11:01:03 +0200
Message-Id: <20180804082705.280674614@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180804082702.434482435@linuxfoundation.org>
References: <20180804082702.434482435@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wang6495@umn.edu>

[ Upstream commit 9899e4d3523faaef17c67141aa80ff2088f17871 ]

In tw_chrdev_ioctl(), the length of the data buffer is firstly copied
from the userspace pointer 'argp' and saved to the kernel object
'data_buffer_length'. Then a security check is performed on it to make
sure that the length is not more than 'TW_MAX_IOCTL_SECTORS *
512'. Otherwise, an error code -EINVAL is returned. If the security
check is passed, the entire ioctl command is copied again from the
'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various
operations are performed on 'tw_ioctl' according to the 'cmd'. Given
that the 'argp' pointer resides in userspace, a malicious userspace
process can race to change the buffer length between the two
copies. This way, the user can bypass the security check and inject
invalid data buffer length. This can cause potential security issues in
the following execution.

This patch checks for capable(CAP_SYS_ADMIN) in tw_chrdev_open() to
avoid the above issues.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Acked-by: Adam Radford <aradford@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/3w-xxxx.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/scsi/3w-xxxx.c
+++ b/drivers/scsi/3w-xxxx.c
@@ -1034,6 +1034,9 @@ static int tw_chrdev_open(struct inode *
 
 	dprintk(KERN_WARNING "3w-xxxx: tw_ioctl_open()\n");
 
+	if (!capable(CAP_SYS_ADMIN))
+		return -EACCES;
+
 	minor_number = iminor(inode);
 	if (minor_number >= tw_device_extension_count)
 		return -ENODEV;