Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp190818ybi;
        Wed, 29 May 2019 19:23:34 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzSS42yIoYbWOJTFiU8URdQKwUZvoJzjoSdRxf25/hMEP12/hp6g85eTYkXQQ8dHC7WHNhU
X-Received: by 2002:a62:4d04:: with SMTP id a4mr1078578pfb.177.1559183014801;
        Wed, 29 May 2019 19:23:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559183014; cv=none;
        d=google.com; s=arc-20160816;
        b=WrggP4YOV5cN0pMYFolldoOx3se/KE/k9XSaLRWouB34XuzwOM7xVGQXanSZjcXZ2o
         UIe0lsM1sTF5ZWHK5/MYg9qq2lD5rB103EUkutgSDcIaKnvP1PxEvRCCiArYXK8qP6x1
         z8nYpMdL7hzplBkzltVnviuVcE2urewya3kqU18SOdNxuAj5JqeBu2WkHf+U/VLA7vRW
         S4fBARkfkC7N/xTGg8BIw9Xx5Acnm0Km0JhXKm61f1VcWMtLKjh+ShhQLWjlD2aF/Nj+
         TnxfJpjDc0ChLXLbyBw3d4zZezsFKWFh1goMJAb568ghSUnEw30IAB+Jx/Dn0mggDyh0
         EPKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :in-reply-to:date:references:organization:from:subject:cc:to
         :dkim-signature;
        bh=TydgSuxW1pWzusJHeoqCWsVAH6tbpZAvDeYoJkM1QCE=;
        b=BDyUGWQ9HFJR0BuZilocbVVtCfNNe52SqpTmDlBdo9zwj6Tqalm/QZNcleECuGSVUs
         X1Thjm/wltpNQu79giH4sJOirANtyI7VBUtfWNqOsU58XCa87ERcLaa9xOJmRVPnlZaa
         k0DdF1/KL/aNrxSkCKu1eakhQmS59Am/KQvH4pc/7td7X0ElywZVuiMpByQNRh4fJHeh
         VcrQFi08UrmslMGmYQnFQR3o6vPQpjiHmL5m/RBfuh0QtWqsw8amntoFfO2fTyfc+taB
         EtiR2hY0BwQHv+IMzaT8AuW22Z1gYbK+KMPFsoqRUJGmc4DPqFqvgeR7y/M5Xd79iyOL
         jBjQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=DN0EW6+y;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a10si1687691pla.60.2019.05.29.19.23.18;
        Wed, 29 May 2019 19:23:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=DN0EW6+y;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727277AbfE3CWN (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Wed, 29 May 2019 22:22:13 -0400
Received: from aserp2130.oracle.com ([141.146.126.79]:44832 "EHLO
        aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726498AbfE3CWN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 May 2019 22:22:13 -0400
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1])
        by aserp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4U2J1Ob011938;
        Thu, 30 May 2019 02:22:08 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=to : cc : subject :
 from : references : date : in-reply-to : message-id : mime-version :
 content-type; s=corp-2018-07-02;
 bh=TydgSuxW1pWzusJHeoqCWsVAH6tbpZAvDeYoJkM1QCE=;
 b=DN0EW6+yE67YzXIIGLcT8zY0A3ArvRNJgHEEc1nX9jqcxgu09y7cz+SCbbZdkryTtqGP
 OlKCnkNvaO49METNTM00WTPg9KJnFWI3KIqf11ODo8jT/oPlIGpdgaXBxXSyjvx1FclQ
 k1DccYH7Dz0YvRCpbKazQqGC/WoWkOxfYmbMEIMam3KcjxGCBMVYBJYormGYV7jeG8Hm
 jllX+mfpZYaT//uzSv0c9qU4uOCulP5Md2x+pL22GAZ800r/vI17hjjENdxFTNOaXABg
 wnzn758hJm7dKcHUAU/7a1K37uz/uK4I9BWKdeJicUH3/gtxVEPH5IqiDxoXuxnONtJG lw== 
Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70])
        by aserp2130.oracle.com with ESMTP id 2spu7dnkfy-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Thu, 30 May 2019 02:22:08 +0000
Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1])
        by aserp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4U2KZ1I034535;
        Thu, 30 May 2019 02:22:07 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
        by aserp3020.oracle.com with ESMTP id 2sqh7421vk-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Thu, 30 May 2019 02:22:07 +0000
Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11])
        by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x4U2M6PH029860;
        Thu, 30 May 2019 02:22:06 GMT
Received: from ca-mkp.ca.oracle.com (/10.159.214.123)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Wed, 29 May 2019 19:22:05 -0700
To:     Gen Zhang <blackgod016574@gmail.com>
Cc:     sathya.prakash@broadcom.com, chaitra.basappa@broadcom.com,
        jejb@linux.ibm.com, martin.petersen@oracle.com,
        suganath-prabu.subramani@broadcom.com,
        MPT-FusionLinux.pdl@broadcom.com, linux-scsi@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main()
From:   "Martin K. Petersen" <martin.petersen@oracle.com>
Organization: Oracle Corporation
References: <20190530011030.GA6314@zhanggen-UX430UQ>
Date:   Wed, 29 May 2019 22:22:03 -0400
In-Reply-To: <20190530011030.GA6314@zhanggen-UX430UQ> (Gen Zhang's message of
        "Thu, 30 May 2019 09:10:30 +0800")
Message-ID: <yq1ef4gy94k.fsf@oracle.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9272 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=992
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1810050000 definitions=main-1905300016
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9272 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011
 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000
 definitions=main-1905300016
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


Gen,

> In _ctl_ioctl_main(), 'ioctl_header' is fetched the first time from 
> userspace. 'ioctl_header.ioc_number' is then checked. The legal result 
> is saved to 'ioc'. Then, in condition MPT3COMMAND, the whole struct is
> fetched again from the userspace. Then _ctl_do_mpt_command() is called,
> 'ioc' and 'karg' as inputs.
>
> However, a malicious user can change the 'ioc_number' between the two 
> fetches, which will cause a potential security issues.  Moreover, a 
> malicious user can provide a valid 'ioc_number' to pass the check in 
> first fetch, and then modify it in the second fetch.
>
> To fix this, we need to recheck the 'ioc_number' in the second fetch.

Applied to 5.3/scsi-queue, thanks.

-- 
Martin K. Petersen	Oracle Linux Engineering