Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3228894ybi; Sun, 26 May 2019 18:06:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqzTPIj/bmwWU8mm3EiP7spBewf6mMncb7CjGx2L00g6v6BhWjB9iJoz20OsB01K/fD2Vdbh X-Received: by 2002:a17:90a:d3d7:: with SMTP id d23mr26635357pjw.26.1558919178204; Sun, 26 May 2019 18:06:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558919178; cv=none; d=google.com; s=arc-20160816; b=iSVYJbLzb8De5MHpvjgtCEX058wcH8Wrzxy2Xhe82qaGGIl+3jO2sYzawUD7q+Jgmo uQW5p9mRuKgiyBY1wRudiHhlwn84euxxkEgdPBo1nVbboO4x4Di1FjvYtBhpvvmpgDWC 1l5ReIeRlL01c/ssdNRemDukAm2hUhcFU7GZBUey53N76aaJb9WfYV+tTPKpSZZRc/Ow PlfNLK3Xk+VIrLV9sZVsOBmn6NfeNR0vErATW/vqfA3lJSQcn2F50UCcOCREBYQ9/gqJ koYoKOCqzkxw+GNwffNUTW02qMQRlRPUxdzxPvKYD8XonhlxitlTCmckEJ83U/KkOwsT LAKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date:dkim-signature; bh=XeFlFWw61JofilTs9ih/NQ02dCASKl1n6cWqz6/+ogs=; b=KtRraNv88ouhswkz0Xt+cQKNbXOVBALGfGCQAzY0pyxA5dnLmopTEIL1tSBwuGPdTY SBV9ylrvTXVhShpN18aQfa4LxY2ppqg1UO5zU4CSw5kwTBbS+5f3vZypEAGp1Hwuop6o xd4N2qX3paTtdGnlmRATTzxSdqXu+K3VhVaHfToTDU2rBgoCUig/fuL+f7WNXEhgOmhZ e2JW1a1HQnZ59vsiXvzfRMYL8WYkcqO/BeV6G0XIXM73HP2X8YF4tPijPhHWHUX0/jRQ RjJOnOHK55MMdc/HTTSqA9uvtDF8B9V/LlJxyTf3tkkQa8gxcyrb1xn5Cuf2z1REbkuv AADA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kmIxUgfb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z21si15666565plo.386.2019.05.26.18.06.02; Sun, 26 May 2019 18:06:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kmIxUgfb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726085AbfE0BD7 (ORCPT + 99 others); Sun, 26 May 2019 21:03:59 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:42733 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725863AbfE0BD7 (ORCPT ); Sun, 26 May 2019 21:03:59 -0400 Received: by mail-pg1-f193.google.com with SMTP id 33so5136754pgv.9; Sun, 26 May 2019 18:03:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=XeFlFWw61JofilTs9ih/NQ02dCASKl1n6cWqz6/+ogs=; b=kmIxUgfbcXGdte3ABphF/qsvQiMkACCDe0wg1GW8GyR11bYBSO7I92dgg1vme/7qk6 yFVENvySyu3QhE2j+qqtM/DxAmMjPclUmZV+ojRKPqT4YA6a4uz+IWEZqQTPtfM+U+Jv SOl2OVClT4+NxbCJp17XmWLLGKAUOnFCZ2AMTSvzn2kcNXS9+CnZ6z2T6eKQLl0Slmk9 SwNXO2ovmyGBbIgcTBOS+ogJKSe1q6UapsRGsD2uYVASQiUDPW5VPyntaIKuRpyO9ESu eAJ5jheU5VTUMqbfJ/YSqSvPEpSO5/R+Nj790Mh6aTrQ550w6vPdnlXNE/zHXXT3zRRG m2eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=XeFlFWw61JofilTs9ih/NQ02dCASKl1n6cWqz6/+ogs=; b=cFLCrjML9O1YIj+HIr1qACm9va2w2Cbb15wn+DIp7SXYSblgw+eHwSisgwSxxpt9+a LMY2VxbIfLATkxb4GeCXdFmWyFxoEzdUIr0MpgSYy7a+aC9Gdo+M2zuUL4IXL4GAjwkH ZgLTXgxjWGGJNBKed8T1J1kKZ0oz/wkwqqAs4M5mR2KivRTJ+ljehTS6RYnhw4XVjVCl 8kUTECP5yWFTpUiyikyIAF0stDn8UNlNLuNRLdScQrzG6HKc56+NlJE8pfONYdMMR+8H lX2Olx3T0NeE+3FD+34o78fF8YLoyj4P+AsxBkczV6DXAbyCFNvW4Kw2xI6E7o4MG4nl 8poA== X-Gm-Message-State: APjAAAUntNGiU++HgW32a4qfBiDuuMcc6yKhjyif8pKXJ53oQi5U+iXU N2KxSuEgyxp+9S94HXva7co= X-Received: by 2002:a17:90a:b00c:: with SMTP id x12mr27628236pjq.64.1558919038505; Sun, 26 May 2019 18:03:58 -0700 (PDT) Received: from zhanggen-UX430UQ ([66.42.35.75]) by smtp.gmail.com with ESMTPSA id l141sm10904953pfd.24.2019.05.26.18.03.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 May 2019 18:03:57 -0700 (PDT) Date: Mon, 27 May 2019 09:03:38 +0800 From: Gen Zhang To: dgilbert@interlog.com, jejb@linux.ibm.com, martin.petersen@oracle.com Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] sg: fix a double-fetch bug in sg_write() Message-ID: <20190527010338.GA17170@zhanggen-UX430UQ> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In sg_write(), the opcode of the command is fetched the first time from the userspace by __get_user(). Then the whole command, the opcode included, is fetched again from userspace by __copy_from_user(). However, a malicious user can change the opcode between the two fetches. This can cause inconsistent data and potential errors as cmnd is used in the following codes. Thus we should check opcode between the two fetches to prevent this. Signed-off-by: Gen Zhang --- diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index d3f1531..a2971b8 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -694,6 +694,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) hp->flags = input_size; /* structure abuse ... */ hp->pack_id = old_hdr.pack_id; hp->usr_ptr = NULL; + if (opcode != cmnd[0]) + return -EINVAL; if (__copy_from_user(cmnd, buf, cmd_size)) return -EFAULT; /* ---