Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4681906imm; Mon, 15 Oct 2018 20:44:08 -0700 (PDT) X-Google-Smtp-Source: ACcGV63Ddo3vvgT/v9FZM5A2dpEYqB+aut0DcDz/5ZFlXzeVEPrhqnvFbeuiDmcOJAy4xeU27bEj X-Received: by 2002:a63:d00b:: with SMTP id z11-v6mr18894637pgf.317.1539661448415; Mon, 15 Oct 2018 20:44:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539661448; cv=none; d=google.com; s=arc-20160816; b=l3fUgXUGXx0DJ/gpKqdcF2poRVao6MVA8elY9ZkDZRVTqiqujLxer4Hv37toHue7zf JF4/sMCnLZLIRT/tk99zK7oM4Hxa4pU6BAtcsnljzqlkkQc9Xh4taFwJCxApA6g7lyNd OHeTY7X4zRDbOMjh0BEGk8iCTgpfQAPCMuXC0z8UvzDfXCR++ckUE6CcDU9s8kTIKsjw YGd5tmPiTIQ1A4p2S48A83KMscS/98OuO3yvFmdGF6lscfU539+aAzrtBrB9JLFYb98K uEMKBDBkcqWN7rgUQitkBLAgTDV08I08BRfRauM7TmF+lT3UtwgEcVOvSR3FIFRah2FW ijyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:organization:from:subject:cc:to :dkim-signature; bh=2KQBBdVnEMWqSG1xiOpSokLhgT+H29fSuKGSz2+RrHk=; b=zHZWSb3oQwO0P6DG+hV68GxyKOWCh5uOrdAVW0fAHGQ94HYBuLStKBk84VxiPk2m+q sRkvKrjhdjppR5DcWbrzl6arJwZZXaFwpMiK7KdSQfog1VBAGrM5DyqwCEI4F3cSqBqD 3ucnLcvuzIYU0++YTxSo+lwTnVv0JRXvH6vgnyAi1YoBLevvLskrnMfsGlRdZbDW2ANG IYeII8urlbX0cdMjm8KXuQEhsPiSUkIuoTm1440wGhg5+pDU+ys64Rxo9csaMqw55gPa ykIKOOA3kYVz0pM8lE0370oHpHf1JFn+yZZNQoW02hAt9YkqOyeX+RobmqTPYPVOcVDH o9Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=Cci0qvZm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u1-v6si12465181pgj.430.2018.10.15.20.43.52; Mon, 15 Oct 2018 20:44:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=Cci0qvZm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727410AbeJPLbj (ORCPT + 99 others); Tue, 16 Oct 2018 07:31:39 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:48216 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726928AbeJPLbj (ORCPT ); Tue, 16 Oct 2018 07:31:39 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w9G3cX8m074264; Tue, 16 Oct 2018 03:43:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=to : cc : subject : from : references : date : in-reply-to : message-id : mime-version : content-type; s=corp-2018-07-02; bh=2KQBBdVnEMWqSG1xiOpSokLhgT+H29fSuKGSz2+RrHk=; b=Cci0qvZm0CNqzEzCWdO/9MMRxGFs1gd4l7DaflabuEu8Mg2r899+OnE9INI5J9G381Ns 84X5sTxoCVIk2aDEP4IV6N2QZwd1e5eRPypqx/dr/DdFG+a4HuIh9Dz1UL09WYQ69mo2 VQTX/ogHs9P/AjxRp7nldOfVhG5LAilIeh+CRQNKTsYVzdha7onv3hkIsbsFaAArq5L6 QGSSbvXJuf6C/qQ9BhFoJyD3Eznxt+U1OvtSLoiKKqujJLwE0T0jCpy5WmIcgCnX5kLp c/eAHPe08v5sOb8VU6yUWGJIIDmJz/Y/dX67EkvkpDEy2nesNauq+tkVMRhGrptqRoCq sw== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp2120.oracle.com with ESMTP id 2n38npwxr7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 16 Oct 2018 03:43:17 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w9G3hGmt009865 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 16 Oct 2018 03:43:16 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w9G3hEFv020442; Tue, 16 Oct 2018 03:43:15 GMT Received: from ca-mkp.ca.oracle.com (/10.159.214.123) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 15 Oct 2018 20:43:14 -0700 To: Wenwen Wang Cc: Kangjie Lu , Kashyap Desai , Sumit Saxena , Shivasharan S , "James E.J. Bottomley" , "Martin K. Petersen" , megaraidlinux.pdl@broadcom.com (open list:MEGARAID SCSI/SAS DRIVERS), linux-scsi@vger.kernel.org (open list:MEGARAID SCSI/SAS DRIVERS), linux-kernel@vger.kernel.org (open list) Subject: Re: [PATCH] scsi: megaraid_sas: fix a missing-check bug From: "Martin K. Petersen" Organization: Oracle Corporation References: <1538850861-26882-1-git-send-email-wang6495@umn.edu> Date: Mon, 15 Oct 2018 23:43:12 -0400 In-Reply-To: <1538850861-26882-1-git-send-email-wang6495@umn.edu> (Wenwen Wang's message of "Sat, 6 Oct 2018 13:34:21 -0500") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9047 signatures=668706 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=746 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810160031 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Wenwen, > In megasas_mgmt_compat_ioctl_fw(), to handle the structure > compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket > 'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the > packet. Since the two data structures have different fields, the data is > copied from 'cioc' to 'ioc' field by field. In the copy process, > 'sense_ptr' is prepared if the field 'sense_len' is not null, because it > will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the > user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved > to kernel-space variables 'local_sense_off' and 'user_sense_off' > respectively. Given that 'ioc->sense_off' is also copied from > 'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the > same value. However, 'cioc' is in the user space and a malicious user can > race to change the value of 'cioc->sense_off' after it is copied to > 'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so, > the attacker can inject different values into 'local_sense_off' and > 'user_sense_off'. This can cause undefined behavior in the following > execution, because the two variables are supposed to be same. > > This patch enforces a check on the two kernel variables 'local_sense_off' > and 'user_sense_off' to make sure they are the same after the copy. In case > they are not, an error code EINVAL will be returned. Broadcom folks: Please review! -- Martin K. Petersen Oracle Linux Engineering