Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp133800ybi;
        Wed, 29 May 2019 18:12:57 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyp+X1It1hi0ai4ZnvERDFzKs6O0znjcIOeMQWFwkMPLKmTBBmd9fwgU91703LWbLLfa7Wi
X-Received: by 2002:a62:ea04:: with SMTP id t4mr688844pfh.47.1559178777328;
        Wed, 29 May 2019 18:12:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559178777; cv=none;
        d=google.com; s=arc-20160816;
        b=YbjjG3+ix9aj5oZp7yLqCjHuCSPcvTntgm5f2vGrc8guz70jAMHdbJ2aHDqkvi6hT9
         xKLf36uBfc0My9lknjXZHK6cJHpzHQATGUbp4mUoSgTrYBm4AJ2lMXleMQWVPgF4ejTv
         o9uKNKk5dYo8C0VHP28XW4DLiTFK8AzU7QmMllhViQ6Gh4hrfPCn5SztZNUCdbXUz/MZ
         bVntX4dTti7O6Sk78CLoGQfiiYcDb+9LEuKw/41LweCjNq3Nqq4ppzp4jCW20ZABK4vl
         DgxzVaXTAiYUEkj8oTJGUNlo83pwe3530OREcpeoI7qL3QbyFG9WDf+Zc6jaomlxeaNY
         RBZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:content-disposition
         :mime-version:message-id:subject:cc:to:from:date:dkim-signature;
        bh=9q3n6/Atan/BZx1c7DELwhCkfQhZCdsRzVyU+FH+w8E=;
        b=TYdLQUr906i/MhjOtSHJFyNgy7BpKMbHv+gH8Hph21JXbj9vWy1R8o6BHgC5Llj7s1
         mF30Mq5QETlkcnHnObGcwW+VWBxiQnXgtxtwnNcO7IPwCoDXnzQaRQ/wRgZQRyCfr7PA
         dsUkvjxMEhvKX0w7TMwdrwVx4E8ulhOTHfAaOXPIKH4SIn3MDUFLCZYYr6FkwfoybE+x
         v/DC8Tx4QOSdX1Ua0j2ERyi0Ghl9d9q9+RbiCzgBvM/1amscMG/DFULuV+fL8QMB0z/M
         wt1kIE07A+pn0qc0IrSpdX+zogREcK0fhEkRuuLLQzFQoqlpwTPY+5ob76nOEUAsR+PC
         difg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=kUVyJwmS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t5si1498015pgv.164.2019.05.29.18.12.41;
        Wed, 29 May 2019 18:12:57 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=kUVyJwmS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727273AbfE3BKz (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Wed, 29 May 2019 21:10:55 -0400
Received: from mail-pg1-f193.google.com ([209.85.215.193]:43482 "EHLO
        mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726527AbfE3BKz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 May 2019 21:10:55 -0400
Received: by mail-pg1-f193.google.com with SMTP id f25so922419pgv.10;
        Wed, 29 May 2019 18:10:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mime-version:content-disposition
         :user-agent;
        bh=9q3n6/Atan/BZx1c7DELwhCkfQhZCdsRzVyU+FH+w8E=;
        b=kUVyJwmSi9HfWvdvfbVdt5vH1mMxcA8Sio6yz3d2YqSTPgJCoxRQVYWakSZsk8/bnx
         klALrwxz3k9VRfeqFpqkdInMF3aI7iS4DATYpm3v1Aw0q1JQuw1jBcWfPXavpDDhVx7a
         GNq45ww6ueUZbKHuA071AMYqZsDCZ9XN7pttbpnTvOoiCQbKVME/DuOeCw9xqQPjLKpw
         rKtOICQFiygbSrO4z2qPaTwZH1bCIXpDjM0CyDo7qs9v3wqNODnQVjTRzTr+EqRZmAmZ
         UccWq2bDhqHydbAQrJ2b9RvTDuUQT3/z9F6xHMlj6gcKQUf0RYPxmQwhisf7xTMv4mEn
         fGwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
         :content-disposition:user-agent;
        bh=9q3n6/Atan/BZx1c7DELwhCkfQhZCdsRzVyU+FH+w8E=;
        b=cnH+WXRO+z1OIdKkwYTL1NHderVm92lfZMuoEJyevjyGSPwcUcxAZ0Hu1frzDI4Gre
         9c8Yn4xJfRna0uk8zCuXcwTYt4pBrmgm0xCI6smlTAe56WcDsby5SL/2HSToiEy382Cz
         x2yuk+lEc1xLKnheb3aNrkkOcMxcL4C+Rw1V2g/sR0HUeiuvMEnPiAyB1ks9N0mh7FIf
         Q5I6wJi4iQc1PdnAPhq6iXoAeXqBHeBQvnq4GNj9+GkrNxdrQDsRF+ck4UdD0ttiUSza
         DwVxO2NSuT+7Lg+z4mJswrYKWcPmKLm93va6lz/bRXge2p6reHbjwgNU1PSmqqlaVO4X
         ayWw==
X-Gm-Message-State: APjAAAX8BSHRJCPT9TYBwJvRyloFxnDQoLJbyVcio/88Kap90z7i/gVv
        wgo1zwyPkbnwtvujDUC5s1Q=
X-Received: by 2002:a65:6382:: with SMTP id h2mr990283pgv.355.1559178654745;
        Wed, 29 May 2019 18:10:54 -0700 (PDT)
Received: from zhanggen-UX430UQ ([66.42.35.75])
        by smtp.gmail.com with ESMTPSA id l8sm510250pgb.76.2019.05.29.18.10.42
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 29 May 2019 18:10:53 -0700 (PDT)
Date:   Thu, 30 May 2019 09:10:30 +0800
From:   Gen Zhang <blackgod016574@gmail.com>
To:     sathya.prakash@broadcom.com, chaitra.basappa@broadcom.com,
        jejb@linux.ibm.com, martin.petersen@oracle.com
Cc:     suganath-prabu.subramani@broadcom.com,
        MPT-FusionLinux.pdl@broadcom.com, linux-scsi@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH] mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main()
Message-ID: <20190530011030.GA6314@zhanggen-UX430UQ>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In _ctl_ioctl_main(), 'ioctl_header' is fetched the first time from 
userspace. 'ioctl_header.ioc_number' is then checked. The legal result 
is saved to 'ioc'. Then, in condition MPT3COMMAND, the whole struct is
fetched again from the userspace. Then _ctl_do_mpt_command() is called,
'ioc' and 'karg' as inputs.

However, a malicious user can change the 'ioc_number' between the two 
fetches, which will cause a potential security issues.  Moreover, a 
malicious user can provide a valid 'ioc_number' to pass the check in 
first fetch, and then modify it in the second fetch.

To fix this, we need to recheck the 'ioc_number' in the second fetch.

Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
Ack-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
---
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index b2bb47c..5181c03 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -2319,6 +2319,10 @@ _ctl_ioctl_main(struct file *file, unsigned int cmd, void __user *arg,
 			break;
 		}
 
+		if (karg.hdr.ioc_number != ioctl_header.ioc_number) {
+			ret = -EINVAL;
+			break;
+		}
 		if (_IOC_SIZE(cmd) == sizeof(struct mpt3_ioctl_command)) {
 			uarg = arg;
 			ret = _ctl_do_mpt_command(ioc, karg, &uarg->mf);