From patchwork Tue Dec 25 20:24:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kangjie Lu X-Patchwork-Id: 10742621 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D586B14E2 for ; Tue, 25 Dec 2018 20:33:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BA53526E55 for ; Tue, 25 Dec 2018 20:33:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AC8FD283E7; Tue, 25 Dec 2018 20:33:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 841F526E55 for ; Tue, 25 Dec 2018 20:33:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725859AbeLYUdw (ORCPT ); Tue, 25 Dec 2018 15:33:52 -0500 Received: from mta-p6.oit.umn.edu ([134.84.196.206]:34000 "EHLO mta-p6.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725852AbeLYUdw (ORCPT ); Tue, 25 Dec 2018 15:33:52 -0500 X-Greylist: delayed 535 seconds by postgrey-1.27 at vger.kernel.org; Tue, 25 Dec 2018 15:33:51 EST Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id 4B647C18 for ; Tue, 25 Dec 2018 20:24:56 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFLsAP1syI77 for ; Tue, 25 Dec 2018 14:24:56 -0600 (CST) Received: from mail-it1-f198.google.com (mail-it1-f198.google.com [209.85.166.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 1D89BBCD for ; Tue, 25 Dec 2018 14:24:56 -0600 (CST) Received: by mail-it1-f198.google.com with SMTP id c73so16915917itd.1 for ; Tue, 25 Dec 2018 12:24:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=6Xpc/jXXMD1CRjJCYS94ZcbLnkSxhAxLsM+qmIkEfsQ=; b=oNWOGFttzfMkLszZ8qT/kRjfOvggEjyRCOHHOIU/Mx7edhTLMpiRf1eru6u/6wcQt/ HMxUpko5wBVsjjy2TG5eomk0pnzhPUt4ZlqyTrkm83xevSHAEs/TeAFiz6yV4ly+CVWf KrPzBVmglRpEeI87knXPvcNAZZ9hHBqCvwPWov7VGep4EaJoHL7zW6BMEYe63YiV+udS UCvnh7w2hrZli5rtsv0/1iipCD5zNvoWRnADi3KvNAy+WiEwFabuJLzQsdhutFbH5jaH 24fb3ceGdqqYnwvNIdGsDEsdQTj71qi9uaBhJDfkKiD4/y8XQ0EiEVwSA4LMDmSRMtcg ZnOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=6Xpc/jXXMD1CRjJCYS94ZcbLnkSxhAxLsM+qmIkEfsQ=; b=M0IRW6pHihNrr9CBhSuFn2gRlHNkWqN4FI1Xhj/ritVL4nAkq2fxVA9wWZa7PNEEfA P8+aUxzfGbVWkZidaJ0ITEfFRefe1NNl2rTw9XS0aRnAK7z3HbvoVAhsjj0b3JAHdUGM 1ku8YLCuKq2e8ilvv+J9jdI53d7NAB1zg74e8IHBU8Kb4mRBBdWnaIwh4x3S2oQsPkYo VuAOGRmEf0ZQWMahnetJ22wdAWKpKjCX7z5HGytvAZnr2TcddSdy/n8DFrHjio/8Nz8C urR5KjV2KEMRQJhg3aX0dRiv6HEjpMWzWbXZd9FWJKr9kFR/g8fdGExCm74xMrYyZgul lafw== X-Gm-Message-State: AA+aEWaH3PZYbVu2nShSIOHlLmhbv1F2Y90/gARBlZLZ31VxBGTWtYgm U5d81FpeigpljI1WlaMYvi45L+93x28CNZJ9lXEoL3/EnXC4wjVwlHTNaFrhl36djn8u3VNMEDW huu3qtsfq8FLw6aeZ8b5lSX1H0A== X-Received: by 2002:a02:660f:: with SMTP id k15mr11943744jac.38.1545769495469; Tue, 25 Dec 2018 12:24:55 -0800 (PST) X-Google-Smtp-Source: AFSGD/XgYKncanRXgd9nq/5njohCnGXBFkJs84e4XFl8d0zBVgy/UWFgrVv2i4JMrKTjEyvSqmvGRw== X-Received: by 2002:a02:660f:: with SMTP id k15mr11943737jac.38.1545769495219; Tue, 25 Dec 2018 12:24:55 -0800 (PST) Received: from localhost.localdomain (host-173-230-104-22.mnmigsc.mn.minneapolis.us.clients.pavlovmedia.net. [173.230.104.22]) by smtp.gmail.com with ESMTPSA id 196sm11399324itu.33.2018.12.25.12.24.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 25 Dec 2018 12:24:54 -0800 (PST) From: Kangjie Lu To: kjlu@umn.edu Cc: pakki001@umn.edu, Doug Gilbert , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] scsi: fix a double-fetch bug in sg_write Date: Tue, 25 Dec 2018 14:24:26 -0600 Message-Id: <20181225202427.69476-1-kjlu@umn.edu> X-Mailer: git-send-email 2.17.2 (Apple Git-113) Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP "opcode" has been copied in from user space and checked. We should not copy it in again, which may have been modified by malicous multi-threading user programs through race conditions. The fix uses the opcode fetched in the first copy. Signed-off-by: Kangjie Lu --- drivers/scsi/sg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 4dacbfffd113..41774e4f9508 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -686,7 +686,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) hp->flags = input_size; /* structure abuse ... */ hp->pack_id = old_hdr.pack_id; hp->usr_ptr = NULL; - if (__copy_from_user(cmnd, buf, cmd_size)) + cmnd[0] = opcode; + if (__copy_from_user(cmnd + 1, buf + 1, cmd_size - 1)) return -EFAULT; /* * SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV,