From patchwork Sun May 6 03:43:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 10382545 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0B36160236 for ; Sun, 6 May 2018 03:44:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ED2E72899C for ; Sun, 6 May 2018 03:44:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DEB6128A04; Sun, 6 May 2018 03:44:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 51EA82899C for ; Sun, 6 May 2018 03:44:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751980AbeEFDoN (ORCPT ); Sat, 5 May 2018 23:44:13 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:46890 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751886AbeEFDoM (ORCPT ); Sat, 5 May 2018 23:44:12 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 98BCE9D2 for ; Sun, 6 May 2018 03:44:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EBLPQxZ9ogeZ for ; Sat, 5 May 2018 22:44:11 -0500 (CDT) Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 65DF69BD for ; Sat, 5 May 2018 22:44:11 -0500 (CDT) Received: by mail-io0-f198.google.com with SMTP id n21-v6so18772065iob.17 for ; Sat, 05 May 2018 20:44:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=40svp93M+eXNchtj2ZxIuPc+pSZXzUPdub9p5YcV1ks=; b=SmTPDadlxfnfXrDKOTo/BC71uVTVRG9TBKeUIImfQRiPSpoqxGLRZ+4pBe9CoiQGsK RgRk95FWJMUcBio3gf6PGAphamIvuRCbcg4QJfGWt3kUDFZY8bJkH8W4ZirjuWv5w6+w vqaLJnrZtTge1PGMKRsPnadyZa0vrmB8tBsjsxqOB+qbuYiWQoCjxIVulR4vnQS8p8hY oxjXu43NZAjRSs1iYXykgBwClcjOE7ZNejgDQtZng8oDAXU7ddecqu9Bi3Nji3TvJKAW QbNTGisu2rIHSi4wvwX+toc20O+HUK2/9M5+7UPcnCH5Ti6J7c+NbBpjjkAxeqLGpcBH 5GxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=40svp93M+eXNchtj2ZxIuPc+pSZXzUPdub9p5YcV1ks=; b=YKeGSOFoVMsFuNS1LMu50jmJgiP12v4GRTqepbVuxuWs2z3WlyDEj2pHrQ0qQrzq+U U/d64lysDEQwZPaWo+RKSWCh16Rgg+lg2aiY+VA0TcY8hZWUovIcO7TzqXD+BjTahjnZ jo3oEjtG5WUk2C2U5efJUZQG0r4++/IchjQv27K4f/LaLpE19QzqOSbYxWG1S8Vfhs8X mZLhXEXHw/199T3kx4GGUAGKqgJyuUVKryk4J/CKlQkklIPkGf6UCnz6LX6Dtq2hkbHE k+d4pOq7OHZ7UXePAKz2Sja4lKCYnpjOWFaYHhnUUVaQY5AzD4E03stbAUmSv6vdMdE8 qqhQ== X-Gm-Message-State: ALQs6tAedhptHpmOA25SHgne94az04bK6ePSPOBAGGFssE9YsZPlo+nH 5KSjT01gfDNF8QT5jwB2N8osodJLvftFMWoltfKCzkYvDGdEBWAXMrqPUz3HXUo3AH6q6LYijTF NPF9762t5afRjOHbhzW0ZrBAZYA== X-Received: by 2002:a6b:1e4d:: with SMTP id e74-v6mr36450886ioe.36.1525578251110; Sat, 05 May 2018 20:44:11 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrPBokhavNcjM4Vf4z1NThrdY3uT/p65+qOvckXbBr/me9b0ElYUeIjZZbGkCNsHoGX6dWgrQ== X-Received: by 2002:a6b:1e4d:: with SMTP id e74-v6mr36450877ioe.36.1525578250959; Sat, 05 May 2018 20:44:10 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id d16-v6sm4544285iob.74.2018.05.05.20.44.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 20:44:10 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Adam Radford , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org (open list) Subject: [PATCH] scsi: 3w-9xxx: fix a missing-check bug Date: Sat, 5 May 2018 22:43:13 -0500 Message-Id: <1525578221-16283-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'driver_command'. Then a security check is performed on the data buffer size indicated by 'driver_command', which is 'driver_command.buffer_length'. If the security check is passed, the entire ioctl command is copied again from the 'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various operations are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in userspace, a malicious userspace process can race to change the buffer size between the two copies. This way, the user can bypass the security check and inject invalid data buffer size. This can cause potential security issues in the following execution. This patch checks the buffer size obtained in the second copy. An error code -EINVAL will be returned if it is not same as the original one in the first copy. Signed-off-by: Wenwen Wang --- drivers/scsi/3w-9xxx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c index b42c9c4..8bc43db 100644 --- a/drivers/scsi/3w-9xxx.c +++ b/drivers/scsi/3w-9xxx.c @@ -684,6 +684,12 @@ static long twa_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long if (copy_from_user(tw_ioctl, argp, driver_command.buffer_length + sizeof(TW_Ioctl_Buf_Apache) - 1)) goto out3; + if (tw_ioctl->driver_command.buffer_length + != driver_command.buffer_length) { + retval = TW_IOCTL_ERROR_OS_EINVAL; + goto out3; + } + /* See which ioctl we are doing */ switch (cmd) { case TW_IOCTL_FIRMWARE_PASS_THROUGH: