Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp4672230ybi;
        Tue, 28 May 2019 00:12:07 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyb5l8o8Wd9WYhcaWPaKo3ZMqMV2zu1Z4vwtYeiWBJG+Bgw++omfshXjUC2iYG07zJDdsVs
X-Received: by 2002:a17:902:4283:: with SMTP id h3mr110836497pld.214.1559027527870;
        Tue, 28 May 2019 00:12:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559027527; cv=none;
        d=google.com; s=arc-20160816;
        b=gGVskRAY+CDFt7lGaHPcaAb4zhmHju2/RhNod000aNo+p4qHLNv4g+8v46PMDVnnRZ
         DpywcaAJt3v9/egvQF9kkf8yyy3YnhqCDyWR8DYdT5Bz1TFJMAfmN6Tp2dI/KgQ+L44F
         XQVQK+UbaOG+bUwSdkdcWIj6CClemyE0+iRMvRbfPC0Vmw6VAeq3C/KppCnUormAqwQV
         Hnld7I2/bkr2mC5Oih/f6JNATOk1C1/xCjTGUUDCZYgfauIA/6EFrdQQwJ3E9Bv9pJ3v
         7X/gU0YGlG6F9sHYKR/2SEk3uDXLehsgC9V4E31MYq75MWK8+3GFQ+sGmd9/zomwbM69
         XdKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=E/ZAaCWtOroQWVvLC5q9wuH/qlBcoxb4vLQTQm3UQbo=;
        b=WknOauppCHCn+x6lN4tARmkcnYqFdUgDfHkBoru7tm1B46CLxx08t4nftlOwv+lesN
         7Sv7U9rlxQZoyAZiKAIgYivYtCvzgPH/anPFnfGvMQ/8xcasG7WGzfg5PJDLWbhnfJW6
         ngxsZceireG6o6zaXitXFvcEqnhAYOECB+dgpakjfBh7IG9lqZbWvAE4j/OK9GypZ53X
         4hFr0MRyZiC/rzGUGoGyNFv74M62eaWQdcYjAQE7MpDUkl2QopwAVeDvX1IVIWumTeT7
         fr1u/YrXGp2eCJbLN+cqmLDuhOKXIbytjlPLDD+AAEAJVr4IZ26R8xsXfK8Y7Ro7UnbY
         Wo8w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=sTVCTQwc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s3si2146819pji.94.2019.05.28.00.11.52;
        Tue, 28 May 2019 00:12:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=sTVCTQwc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727307AbfE1HFb (ORCPT <rfc822;sujaykul91@gmail.com>
        + 99 others); Tue, 28 May 2019 03:05:31 -0400
Received: from mail-pf1-f196.google.com ([209.85.210.196]:42005 "EHLO
        mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726203AbfE1HFa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 May 2019 03:05:30 -0400
Received: by mail-pf1-f196.google.com with SMTP id r22so8003798pfh.9;
        Tue, 28 May 2019 00:05:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=E/ZAaCWtOroQWVvLC5q9wuH/qlBcoxb4vLQTQm3UQbo=;
        b=sTVCTQwcjOUbBeDTPZ9slIgPL7vc7+8M/O2YOnWqEz0DAzf2tUwdnTlU0GzopMLZJq
         mG8Nq01ounojAaiDTcwXpLoOCOfxfzprjI3G7jL2No2j89M8v51FdKkrH6eimAPl6ifx
         Ki3tWybo3KPGSaRLa/U+9d+PeIEdjH5EFMtzJlYcCnLR1sCkNUix7HMiWGK/c3Riidzj
         eVak/YJO22tACt/XU1quCIZ1d3CurojyziZydPbyttk0mk6zjFWroMJ2MY30Ys3OUA5a
         G8pzUEHYUXNswLQ74XLHjMj2bKfvgVcCzJ+YzapQqtnEUa6HwC1mxJXaW9T/5BUxw1RE
         gA0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=E/ZAaCWtOroQWVvLC5q9wuH/qlBcoxb4vLQTQm3UQbo=;
        b=EFPv7I6iQ8EfxafSkJ9a9A+QY27AReyG0DSSsBLvN+45WeSDDHHElOlA9Z1V/DXiu8
         4rW/KUJyFnz7JUPSFOzsWbq5dwaA0zRDzvci10b6iOX8LGN4Gx6nwjICzVp1k2HRsTTN
         Omn254Wka3k4jvuJLjrV7ggfJ6R3v4iZHpND53S41KBvlnXUP3clERsMRrDk2TGnK9P5
         fcRE91mX9WouiooI5g1t8BkxjAk8o9V0VLDgyBHtfJLdlGLYW0+5wCZAIvt1zXgomMgn
         VomFCGzsyl1CLyMskI+zKmsMOV11X5pl7+Z5Nr1ozg31eQVL9LNuXAnKCov8OQdMQkg1
         CJxg==
X-Gm-Message-State: APjAAAU92PQ15Ron68dPNYSRAN5+LR57NyjJYf8bumiu8pIsThbJeLNr
        ny9PlV8skY438c8Jj4qtHAQ=
X-Received: by 2002:a63:ec02:: with SMTP id j2mr107551727pgh.340.1559027129956;
        Tue, 28 May 2019 00:05:29 -0700 (PDT)
Received: from zhanggen-UX430UQ ([66.42.35.75])
        by smtp.gmail.com with ESMTPSA id d15sm33527932pfm.186.2019.05.28.00.05.21
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 28 May 2019 00:05:29 -0700 (PDT)
Date:   Tue, 28 May 2019 15:05:08 +0800
From:   Gen Zhang <blackgod016574@gmail.com>
To:     Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
Cc:     "Martin K. Petersen" <martin.petersen@oracle.com>,
        Sathya Prakash <sathya.prakash@broadcom.com>,
        "James E.J. Bottomley" <jejb@linux.ibm.com>,
        PDL-MPT-FUSIONLINUX <MPT-FusionLinux.pdl@broadcom.com>,
        linux-scsi <linux-scsi@vger.kernel.org>,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main()
Message-ID: <20190528070508.GA18498@zhanggen-UX430UQ>
References: <20190527005716.GA17015@zhanggen-UX430UQ>
 <CA+RiK64ddLM1Uhp_neqaX3HeaGqn-b=MgK3fGzXnee-o3SAVdg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+RiK64ddLM1Uhp_neqaX3HeaGqn-b=MgK3fGzXnee-o3SAVdg@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, May 28, 2019 at 11:44:35AM +0530, Suganath Prabu Subramani wrote:
> Please consider this patch as Ack-by: Suganath Prabu S
> <suganath-prabu.subramani@broadcom.com>
> 
> Thanks,
> Suganath.
> 
> 
> On Mon, May 27, 2019 at 6:27 AM Gen Zhang <blackgod016574@gmail.com> wrote:
> >
> > In _ctl_ioctl_main(), 'ioctl_header' is fetched the first time from
> > userspace. 'ioctl_header.ioc_number' is then checked. The legal result
> > is saved to 'ioc'. Then, in condition MPT3COMMAND, the whole struct is
> > fetched again from the userspace. Then _ctl_do_mpt_command() is called,
> > 'ioc' and 'karg' as inputs.
> >
> > However, a malicious user can change the 'ioc_number' between the two
> > fetches, which will cause a potential security issues.  Moreover, a
> > malicious user can provide a valid 'ioc_number' to pass the check in
> > first fetch, and then modify it in the second fetch.
> >
> > To fix this, we need to recheck the 'ioc_number' in the second fetch.
> >
> > Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
> > ---
> > diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
> > index b2bb47c..5181c03 100644
> > --- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
> > +++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
> > @@ -2319,6 +2319,10 @@ _ctl_ioctl_main(struct file *file, unsigned int cmd, void __user *arg,
> >                         break;
> >                 }
> >
> > +               if (karg.hdr.ioc_number != ioctl_header.ioc_number) {
> > +                       ret = -EINVAL;
> > +                       break;
> > +               }
> >                 if (_IOC_SIZE(cmd) == sizeof(struct mpt3_ioctl_command)) {
> >                         uarg = arg;
> >                         ret = _ctl_do_mpt_command(ioc, karg, &uarg->mf);
Thanks for your reply, Suganath.

Thanks
Gen