Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1461183ybi; Thu, 30 May 2019 18:29:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqzkwaAhTIryFlrciNKykxn/GpOHBONcxKiRxpNYMhvuQdqpzqScavRh5Og54O1DwY+guCeE X-Received: by 2002:aa7:90d3:: with SMTP id k19mr6533779pfk.1.1559266162352; Thu, 30 May 2019 18:29:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559266162; cv=none; d=google.com; s=arc-20160816; b=yhDjZZPOQFUz/oIVSw09yRQ47U8Jx27D5BqIqR+4uv0sRDG7eTboVBfu41rFtqEtw8 /kvg1PlIJdWSnVMNW3yHNDwyxdHDlzb2YotERR1flRLONR4yp57Wl4zlLjk4Ym7yiNhE YT5IbjomJfr2ySYccWuwU+lkqu4bpqm2vsBhH/4Ut4jF3T/qHpklJMZttU9qhJIONZd5 6Kbcc2uHWdBLDaoT8fKJqUvOUTyAqh0Z81yzOj4xU1R3OGoz/7zygvEI6+OjfrVuPE9C SQN2zBnQAO2MaK4fNKVwr3D4MTyuQ8HmeDQ5cNAJeE2+OJQSoXKRqMG6opsyegQmJU+k tDuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date:dkim-signature; bh=XeFlFWw61JofilTs9ih/NQ02dCASKl1n6cWqz6/+ogs=; b=02b3mS6h+0GOjFfsXQzOSvnUGgGPXYCOMb+Gl4DkBZ9tQZPx4ohqqO0WGzlmPrelnm 0AEcABHuZy/fEE7MZSYyJwtiieLm47KMlqypLpkJYrqSvD95UuN+IYzTbwjyFxnl6MfW Diem9r3M3ZannXxs+NwL5JYgPRMIr/x7IMVl8w0SWHIX2aYy9d7NwjY+b57fsHWmGWLq 4r1/4z90qtbZv8tySVc9McRKvVgKw2xLcZBxWM42PEll85gdB1bVDn6Nz7r3tz8R5lOB csFJMIX0f+2mLcqSKzhm52M6Q7QdRcUShzIOKLvVHSiYhBBMMRabs0ocFOt8hJ44fKDt lbYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="HAug/j4v"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u6si4310563plq.94.2019.05.30.18.29.05; Thu, 30 May 2019 18:29:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="HAug/j4v"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726784AbfEaB1T (ORCPT + 99 others); Thu, 30 May 2019 21:27:19 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:39646 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726548AbfEaB1T (ORCPT ); Thu, 30 May 2019 21:27:19 -0400 Received: by mail-pf1-f196.google.com with SMTP id j2so5086569pfe.6; Thu, 30 May 2019 18:27:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=XeFlFWw61JofilTs9ih/NQ02dCASKl1n6cWqz6/+ogs=; b=HAug/j4v3u1vNp4tcIUHDMtYDOYLfl+rcQaw1ds5LnTjomrRmIVt3PbpFA9cEcMyaO qbSG9n2rN71i1U8bfQZle2+UMHzOlrXZSdQQ/aA8L2KWIeJutyOMK/JF08ozNoKl8KPb mdtLp9uTERKqWNkEt00lWSZzZxRawZOCbWky7MnRDnM8CmIwy6jUb4INCoSkdkSps+0q 5FZvOtMYh0N4xP1RbezuVPoJE6EUYo0WM61qBNkJ68Epn6yDL9AkgcyYiWydnlRgUYCO xWVylqqwgmI2V+fNS8k+HSka+MuOytk1RpLS5Pof2a4+vgdKjVCSJLPgAWRk9M0Iw/K4 GNuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=XeFlFWw61JofilTs9ih/NQ02dCASKl1n6cWqz6/+ogs=; b=IJ9ezWEvwMg8J84NcOFP/mlFOJwYPA5BRcBj+NYhNK13VBxmKryoplNBF89AR6CfpK yv9SyjmkfSB/Fa/p225DzUeYEOR5+KXiFqGFNrlt5Lo5D1YSQ8rTReFDoW/lZn3/bvLT M5OZKvE4MJ3jeXvUzYlGIDWMqSVNoQ2U7Su0yLpYU9qs5nkeMkeVMXX0uy+UA6RNruUN N3rmFWrDMhStoUWUR+v9lOmjdVQ79wZuv64hxj/idpQgS71Bgib1S3ttoK8KZFLsJLto Wb/HkZ4DSSw07gqpGjEfGohF+zI5mIvPqY3JEw6AW7mypKybEyPvUHmWXcFC8Ia0Yldb iFOw== X-Gm-Message-State: APjAAAWs+PwMb2AKnpNV22HQ39i2zA8Tb9EFoX8H4vpER5WvZ+xKpLjY 4id/pHAvhFNfut5HPHWNz+fzNKoJ X-Received: by 2002:a63:31d8:: with SMTP id x207mr5975490pgx.403.1559266039075; Thu, 30 May 2019 18:27:19 -0700 (PDT) Received: from zhanggen-UX430UQ ([66.42.35.75]) by smtp.gmail.com with ESMTPSA id j2sm5258949pfb.157.2019.05.30.18.27.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 May 2019 18:27:18 -0700 (PDT) Date: Fri, 31 May 2019 09:27:04 +0800 From: Gen Zhang To: dgilbert@interlog.com, jejb@linux.ibm.com, martin.petersen@oracle.com Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] sg: fix a double-fetch bug in sg_write() Message-ID: <20190531012704.GA4541@zhanggen-UX430UQ> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In sg_write(), the opcode of the command is fetched the first time from the userspace by __get_user(). Then the whole command, the opcode included, is fetched again from userspace by __copy_from_user(). However, a malicious user can change the opcode between the two fetches. This can cause inconsistent data and potential errors as cmnd is used in the following codes. Thus we should check opcode between the two fetches to prevent this. Signed-off-by: Gen Zhang --- diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index d3f1531..a2971b8 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -694,6 +694,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) hp->flags = input_size; /* structure abuse ... */ hp->pack_id = old_hdr.pack_id; hp->usr_ptr = NULL; + if (opcode != cmnd[0]) + return -EINVAL; if (__copy_from_user(cmnd, buf, cmd_size)) return -EFAULT; /* ---