From patchwork Sun May 6 03:21:34 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 10382539 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0265D60353 for ; Sun, 6 May 2018 03:22:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DDD7A28A5E for ; Sun, 6 May 2018 03:22:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D0FC328ECE; Sun, 6 May 2018 03:22:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8D43228A5E for ; Sun, 6 May 2018 03:22:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751894AbeEFDV7 (ORCPT ); Sat, 5 May 2018 23:21:59 -0400 Received: from mta-p6.oit.umn.edu ([134.84.196.206]:53904 "EHLO mta-p6.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751833AbeEFDV6 (ORCPT ); Sat, 5 May 2018 23:21:58 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id 0F849A78 for ; Sun, 6 May 2018 03:21:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aAcm3iNHziqF for ; Sat, 5 May 2018 22:21:56 -0500 (CDT) Received: from mail-io0-f199.google.com (mail-io0-f199.google.com [209.85.223.199]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 141FCA80 for ; Sat, 5 May 2018 22:21:46 -0500 (CDT) Received: by mail-io0-f199.google.com with SMTP id o194-v6so23884219iod.21 for ; Sat, 05 May 2018 20:21:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=h67YipnS6VN3d8OnbuO8bqqaC9U4KOnGWIXodTmAqaM=; b=nMkXLBdJtLmMwkaKoWNzUEZ8gmVjefKEw97h7vE6hAjiTRPrrUarimIvbz/E7wrsXC s4PHSBe7iysJ2yQ8bH7sgq/lNreQI6s3sBqJA6jJE8qkeQ3VGU2BG6tTA5pu703jdDB5 MONF5A8pIpC6KBDso92EbM0tRfpmLxVilu9Qq1zoqPFJmcap/b+TaxZOAHjEaz2wjfLh 79vysojgvBsgwoqVJAPHqCkjQNibpcs/S6figGI1f7W4IJ8UDWEdx0z/JaLFnw2Gzo8D BhKKPx33JRD6916idjRse9DmyJVumT0Z/lX+1CHNWgBBDAU4UZ+6EyR2mPXDQjGvJG4a c0Yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=h67YipnS6VN3d8OnbuO8bqqaC9U4KOnGWIXodTmAqaM=; b=Jp5dhKbiCNdOYuTc8TKarP14EIL+tp2+oAg+0jKRwEnRUpIoE7e9rxr3rOY5CM2vMP muKMudpTL5qrXXCv2RRIkt2vPkeMuja7aonZsQrWQVqK8km0q1WI50Pg16gYGLvpPCc5 zZ6HxObV+c4pfpE2oKfMyzHFp5U4TWDsG8jQ9PpNVLSfIpebzythwGgbkr2MK4NH3glr +gDOEowolSKP7Zrcd1hVLxub72wO8rMVYP9MleLI8x6Z5B+pek2Xhbxe8HQK2BZbZWvK KTG7O/71llaYU0RmvHzv4L0nRB9Ev7LLofEg4vD55IK72TaFcamkEriHrQVEE4XjZ9O/ edag== X-Gm-Message-State: ALQs6tBjaUYq1wKPx77pIODxKZ02A3rbCjMsnBKwwO+0YVm6JOgVGqum Sga56M9XT3Yejyd/7Vyshx7XZk/scR4NY7epkkqLHKbWzYWDFaD9EIdB25fgAXPU3Y8aNPmzQmW CLhRNt8UDf9KWf/BB+T6k6twgxA== X-Received: by 2002:a24:f546:: with SMTP id k67-v6mr35278157ith.82.1525576905432; Sat, 05 May 2018 20:21:45 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqnYGZo84BU69IpfMa8o2KJ5N1TIPlMgFu26hBOgdsHI4C7h3Pef7CFc4hOahOfnIielC/BxA== X-Received: by 2002:a24:f546:: with SMTP id k67-v6mr35278152ith.82.1525576905282; Sat, 05 May 2018 20:21:45 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id z8-v6sm2732961itc.34.2018.05.05.20.21.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 20:21:44 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Doug Gilbert , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org (open list:SCSI SG DRIVER), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] scsi: sg: fix a missing-check bug Date: Sat, 5 May 2018 22:21:34 -0500 Message-Id: <1525576895-15708-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In sg_write(), the opcode of the command is firstly copied from the userspace pointer 'buf' and saved to the kernel variable 'opcode', using the __get_user() function. The size of the command, i.e., 'cmd_size' is then calculated based on the 'opcode'. After that, the whole command, including the opcode, is copied again from 'buf' using the __copy_from_user() function and saved to 'cmnd'. Finally, the function sg_common_write() is invoked to process 'cmnd'. Given that the 'buf' pointer resides in userspace, a malicious userspace process can race to change the opcode of the command between the two copies. That means, the opcode indicated by the variable 'opcode' could be different from the opcode in 'cmnd'. This can cause inconsistent data in 'cmnd' and potential logical errors in the function sg_common_write(), as it needs to work on 'cmnd'. This patch reuses the opcode obtained in the first copy and only copies the remaining part of the command from userspace. Signed-off-by: Wenwen Wang --- drivers/scsi/sg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index c198b963..0ad8106 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -657,7 +657,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) hp->flags = input_size; /* structure abuse ... */ hp->pack_id = old_hdr.pack_id; hp->usr_ptr = NULL; - if (__copy_from_user(cmnd, buf, cmd_size)) + cmnd[0] = opcode; + if (__copy_from_user(cmnd + 1, buf + 1, cmd_size - 1)) return -EFAULT; /* * SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV,