Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5181366imu; Tue, 25 Dec 2018 20:24:27 -0800 (PST) X-Google-Smtp-Source: ALg8bN4Y9PtHkCqq/FgbCdxmcRz/TtMZiBwQYjUBO+uZw22tIeAserZ8Ka0Mm1X4/1QtWr77ufsf X-Received: by 2002:a63:9809:: with SMTP id q9mr17637461pgd.109.1545798266939; Tue, 25 Dec 2018 20:24:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545798266; cv=none; d=google.com; s=arc-20160816; b=FIgZpwIVDDR1napPGT1vn+pH5re5IZtutSBeqOC4oK810sKLCcolCfDKxGM2ECf4Pf OhpYZv/JANumzG9ZmI7E3Qcd3/5579QBTH8OHndemiuCpL/O45DpTlEToJ3L/R5fcJdA qNoOIUCxpqVPK3NGAV8P/U/U14iu+5cJYk4soAG4qt/97NNFw/N9XmkH/kp1H4EqGA8q b8DvdiEvY6bA3wOiVQ0DxSPEqAP+euteb98BKvVnls5LW0wwBRW2TTP5FnIZtmJjV8Mu WM4uzxhb4rUvrDNFqtfvDuTC0xa19uelKPPxvMYRSCdRao6rt7925cEVSYF2yMKLSm8t yPEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:reply-to; bh=KIISGcfJ5yevikhLIq9xi5t/UOKWgUPNU7XmUMXdyH0=; b=LNY2KZpWTfFiL+cXOpa/efnwzDOtP6HgqKj2xUwAEe7coREm+FLgMlLQmx8Ulc8x+m gRpVKour7fbxWQ+gNb9RVIj34bMxjUtQAGNw0ficdKHMEhqH0iTQytpkop8dJahIRJMw wAwzuz5TciQJDE6B3Ajy8NQ02OP2x1PcpkD/mTPU1t546l5Q8OIsGybjUbr+wVZI4rkC sr/frySnRox8LsC9tsGcb9s6iKTfDE8wvi5GRuJIgNCGAurVLmh/5oX4KSrDAUSBRY5j eNS5WxRgJzVmmwYlyxuOkH3tFqbKDwpAIWOUuucGx7mfZ1h4JQTNDPs65SFbaPR/bCSe Hv8Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v34si31682530plg.205.2018.12.25.20.24.12; Tue, 25 Dec 2018 20:24:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726075AbeLZDnF (ORCPT + 99 others); Tue, 25 Dec 2018 22:43:05 -0500 Received: from smtp.infotech.no ([82.134.31.41]:51689 "EHLO smtp.infotech.no" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725867AbeLZDnF (ORCPT ); Tue, 25 Dec 2018 22:43:05 -0500 Received: from localhost (localhost [127.0.0.1]) by smtp.infotech.no (Postfix) with ESMTP id 9BA502041E3; Wed, 26 Dec 2018 04:43:02 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.6.6 (20110518) (Debian) at infotech.no Received: from smtp.infotech.no ([127.0.0.1]) by localhost (smtp.infotech.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PKKl1IEwfJbX; Wed, 26 Dec 2018 04:42:55 +0100 (CET) Received: from [192.168.48.23] (host-184-164-16-103.dyn.295.ca [184.164.16.103]) by smtp.infotech.no (Postfix) with ESMTPA id 51450204187; Wed, 26 Dec 2018 04:42:53 +0100 (CET) Reply-To: dgilbert@interlog.com Subject: Re: [PATCH] scsi: fix a double-fetch bug in sg_write To: Kangjie Lu Cc: pakki001@umn.edu, "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org References: <20181225202427.69476-1-kjlu@umn.edu> From: Douglas Gilbert Message-ID: <7e727b1a-88e5-7062-159e-bf4be110d168@interlog.com> Date: Tue, 25 Dec 2018 22:42:52 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: <20181225202427.69476-1-kjlu@umn.edu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-12-25 3:24 p.m., Kangjie Lu wrote: > "opcode" has been copied in from user space and checked. We should not > copy it in again, which may have been modified by malicous > multi-threading user programs through race conditions. The fix uses the > opcode fetched in the first copy. > > Signed-off-by: Kangjie Lu Acked-by: Douglas Gilbert Also applied to my sg v4 driver code. The v1 and v2 interfaces (based on struct sg_header) did not provide a command length field. The sg driver needed to read the first byte of the command (the "opcode") to determine the full command's length prior to actually reading it in full. Hard to think of an example of an exploit based on this double read. > --- > drivers/scsi/sg.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c > index 4dacbfffd113..41774e4f9508 100644 > --- a/drivers/scsi/sg.c > +++ b/drivers/scsi/sg.c > @@ -686,7 +686,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) > hp->flags = input_size; /* structure abuse ... */ > hp->pack_id = old_hdr.pack_id; > hp->usr_ptr = NULL; > - if (__copy_from_user(cmnd, buf, cmd_size)) > + cmnd[0] = opcode; > + if (__copy_from_user(cmnd + 1, buf + 1, cmd_size - 1)) > return -EFAULT; > /* > * SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV, >