Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp1203869ybm; Wed, 22 May 2019 19:41:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqyJG2yTeV0sYoH9xgdejzvanXJhEnHkPaAKS49TetAKbwVloDX3JpBVXNZT76yBQumoBTNT X-Received: by 2002:a63:5211:: with SMTP id g17mr63408059pgb.405.1558579283125; Wed, 22 May 2019 19:41:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558579283; cv=none; d=google.com; s=arc-20160816; b=gDlvFJoP5P5yIYn6D5wTLl7yuQ8Pvnjx6xkHg/4OelTXiY7uwo/mMtmvS8fOY8r76x Zro7ljsm90e8Z/RgQezWznCeZscrmmEbZeXcx64hsQujjGoGDNQ/wh6+9EU+//o2vEIY Ql5oqEqgKOfB9YUzsAs6e687nFW+vSKYY/kd4GPIUAJ/TrpB3GA/o8jGGP7v+yJm13nK ow0lmJiTRXkpsEkRXaDBimFIZbV/TrSV1kJ7XpofeUxPtYWUBT+s6MzIy/chrEjT5IlB OsGazRWJ1U1G5+yNt5+5U3JYW9IVbhImRvYZVTCyLGCxO8OJCp0smYHaQxjR1RtXjOr4 CIqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date:dkim-signature; bh=XeFlFWw61JofilTs9ih/NQ02dCASKl1n6cWqz6/+ogs=; b=KSBxh149Tn/vb6QyNfLNvc9dXUhhN6+u5CYsbb6GuY2698FQHmVUC+W/6IGdkd05SN H2G/YPDXoIxb/LpoaHR+Z0Aev4W7UPZeuXURv3f+cgvjBZxy7bM+1B6P/iyRtuNDB8R/ nx8L9fCQp5sCY8X0HpNkywBhlLt3bG0RPYrCbv5gkNbTro/j+dCBGMPZ8uTVNkZ1uPRY Ed/01XLwBxz7F+JLNck53RUoYbzM2r8gkyxALc+9GAFuHTUtquaz1X0HT6xx7WfvPuTI QYltRhvHmEeATaf1zoqcANPyDnYHUOzUBu85J1Nt5t7fgYQ1nzy1bY5rUrBQfE/vW56V 3q+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XkhqGDia; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t20si27662587pfh.238.2019.05.22.19.41.06; Wed, 22 May 2019 19:41:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XkhqGDia; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729836AbfEWCjI (ORCPT + 99 others); Wed, 22 May 2019 22:39:08 -0400 Received: from mail-pl1-f196.google.com ([209.85.214.196]:41139 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727305AbfEWCjH (ORCPT ); Wed, 22 May 2019 22:39:07 -0400 Received: by mail-pl1-f196.google.com with SMTP id f12so1985706plt.8; Wed, 22 May 2019 19:39:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=XeFlFWw61JofilTs9ih/NQ02dCASKl1n6cWqz6/+ogs=; b=XkhqGDiaRbQB/JoWWIb3ZtwGo6mgeC1ka1Xxe9Uf+j0yYT0arBII+Q3+NPUw3e/pMX rY7PZU6v/7aeqgZZJImaVabVzmX1mHf4DxR/EdIuApMN9tuFRylTXNfbx6XsQDNxXWx1 MQ3RU+83pS08GZL5yo2R17re7v+1h4rWEOp4uVLUelx55Pl253go6BSc7ZKHxFxjfbzf 5SyJrBpa1MSDgP65YibZ96jB7+cLtH7hW4d3yfj3wLJGfzGWNtqOXlKrDhI0VNzlXdQ0 wxPMCVavLd+KqRyDdL5ZeQtYkRS5gK2YbK/7KsZQqyCFac4jiQKmupIAv6UUlviEChP5 53mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=XeFlFWw61JofilTs9ih/NQ02dCASKl1n6cWqz6/+ogs=; b=li8cGFcFT8TmCfXyaQpZIp6vW6ktsJa43BDSFGqSodFyzMh8s48hv47BcLWSkvoFi+ vqp4S3qpTvcY3ssjZ9qT5Ec+ntXA3sVB1Fk4pFdueM+IWXpET728VPANvYbmISiVONpE psBvc6zuZT+iZ/OndB8o5hNuM5XURFKvm12q8h+baL3dbOhgRDcY+HpeCyrgdlZYHNQp QFKAqUdd7tupH5dXciYU138Q3Hx81HMEA3X92KK5YgOupVWoMqzjpWGWTSW+u5rJgFB6 7lZUl6x94N/WveVi2tsblM5NKnwo0VNHfjvSwjwGHgLat4BaKBE8hh7HxWnki0rxPsdh IviA== X-Gm-Message-State: APjAAAXdoeDh17l0Azj+jcdWNd9W1ZINp9dBtDGIvbGcahyPwvRau2yg xhlpHy+XaBDs3FrMzanDmRs= X-Received: by 2002:a17:902:3103:: with SMTP id w3mr19279282plb.187.1558579147085; Wed, 22 May 2019 19:39:07 -0700 (PDT) Received: from zhanggen-UX430UQ ([66.42.35.75]) by smtp.gmail.com with ESMTPSA id d15sm78095232pfm.186.2019.05.22.19.39.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 May 2019 19:39:06 -0700 (PDT) Date: Thu, 23 May 2019 10:38:55 +0800 From: Gen Zhang To: martin.petersen@oracle.com Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] sg: Fix a double-fetch bug in drivers/scsi/sg.c Message-ID: <20190523023855.GA17852@zhanggen-UX430UQ> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In sg_write(), the opcode of the command is fetched the first time from the userspace by __get_user(). Then the whole command, the opcode included, is fetched again from userspace by __copy_from_user(). However, a malicious user can change the opcode between the two fetches. This can cause inconsistent data and potential errors as cmnd is used in the following codes. Thus we should check opcode between the two fetches to prevent this. Signed-off-by: Gen Zhang --- diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index d3f1531..a2971b8 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -694,6 +694,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) hp->flags = input_size; /* structure abuse ... */ hp->pack_id = old_hdr.pack_id; hp->usr_ptr = NULL; + if (opcode != cmnd[0]) + return -EINVAL; if (__copy_from_user(cmnd, buf, cmd_size)) return -EFAULT; /* ---