| Message ID | 20181225212048.69782-1-kjlu@umn.edu (mailing list archive) |
|---|---|
| State | Deferred |
| Headers | show |
| Series | scsi: fix a double-fetch bug in adpt_i2o_passthru | expand |
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c index 37de8fb186d7..93bd1d1bd5b5 100644 --- a/drivers/scsi/dpt_i2o.c +++ b/drivers/scsi/dpt_i2o.c @@ -1733,6 +1733,9 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg) if(copy_from_user(msg, user_msg, size)) { return -EFAULT; } + /* Ensure it is not changed in the second copy */ + msg[0] = size; + get_user(reply_size, &user_reply[0]); reply_size = reply_size>>16; if(reply_size > REPLY_FRAME_SIZE){
user_msg[0] is a size variable, which is copied in from user space and checked. It is copied in again from user space after the check, and used in the following execution. Malicious user programs can race to change user_msg[0] between the two copies, leading to incorrect size. The fix ensures to use the checked size. Signed-off-by: Kangjie Lu <kjlu@umn.edu> --- drivers/scsi/dpt_i2o.c | 3 +++ 1 file changed, 3 insertions(+)