From patchwork Sun May 6 05:50:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 10382561 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C199860159 for ; Sun, 6 May 2018 05:51:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A2B3528B8A for ; Sun, 6 May 2018 05:51:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 92C5528E8E; Sun, 6 May 2018 05:51:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1320528B8A for ; Sun, 6 May 2018 05:51:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751266AbeEFFvH (ORCPT ); Sun, 6 May 2018 01:51:07 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:49502 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751187AbeEFFvG (ORCPT ); Sun, 6 May 2018 01:51:06 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 98CB3A30 for ; Sun, 6 May 2018 05:51:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N5OaueACEuBB for ; Sun, 6 May 2018 00:51:05 -0500 (CDT) Received: from mail-it0-f72.google.com (mail-it0-f72.google.com [209.85.214.72]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 6594D707 for ; Sun, 6 May 2018 00:51:05 -0500 (CDT) Received: by mail-it0-f72.google.com with SMTP id c137-v6so1894345ith.3 for ; Sat, 05 May 2018 22:51:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=CpOQZ1IkdP9QtIwxlrvheEY0pCDIoFseLcBKNXyji6c=; b=BShqMg9bzJYLAaKToro69oEjXaEzJM/PBH7irnEFCdACto6OuS+69+hDlB4qaiF6Qf HJBusbQHZmSrnRAwC48TZTLlSVcAguMo5u+UsFmLuncd31pERcaet4Rpxi7sK9neDJ6u fHMbVmjPpzZEz8El5lVNvDIvXze9qH0Y2AvtUwD8eHfIFbo3JmhMX0pvQhbTQKRwGubg ggVXMC27JTFd7W8HILx06+j5Oh4mH5vbmn0D9Ymy7NQe5kEAheXlPJlpvowFtxklCwk/ mYQ7clPQu/3SSF+l70aSiTrPHYUJtI33UP01zrtElUNCQA7o9+482XL+WYS02Xw7hsxB RDsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=CpOQZ1IkdP9QtIwxlrvheEY0pCDIoFseLcBKNXyji6c=; b=l4zDiAeIQDhBu77Eqz1ePaX12su5AEd7vbi35vJVKyolIGO6h7y0KSIMw4Pt/kX34P nlN9xWPVfI+IncfaLGoEF6HYn9wdmWqF/aH93hS36PS4kwX51zq1908VIZ6QwSt+7e21 ZZ2ya+rZ/d29LiS1Uh/MAOVJhuT8XKQoZlaOgTRFUtakWALU7bqi0FTn/uBUsWn9gucn B/u+TECWG9BB78criqjwXh6mS2DddJn9anx+535I7+9TUxToOl4stS9bKAhEkKrU1sFS 3OBk7DkR1Tp7Tzsaz1ZslatQgZJ9SwswrmsB8o/sUbuCC3cI24GVmralwkuF/dNoVQ7K bPPA== X-Gm-Message-State: ALQs6tDwHqB/R2A+lp0Y7TaLoq2yxSq8yPNIQPHf7ZtBBkXknhYQnC0C AyT8Mp1TSXfouuzLgV5l/yvnBrSrXkeMWib8IKHRFObZHf56AYEPQirF8pOVdf5CcGyHP2df87m qXNPMecgDvdFIJCgjI1xEnINFEw== X-Received: by 2002:a24:4089:: with SMTP id n131-v6mr32158673ita.8.1525585865105; Sat, 05 May 2018 22:51:05 -0700 (PDT) X-Google-Smtp-Source: AB8JxZo/1gZF5YXftcwKfWzs88RstsuZ0/Wl0NCwy1V3fVA0nMncCwI8TyzOvPYF4QiYdyZSu3M40w== X-Received: by 2002:a24:4089:: with SMTP id n131-v6mr32158667ita.8.1525585864937; Sat, 05 May 2018 22:51:04 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id x189-v6sm2829939ite.5.2018.05.05.22.51.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 22:51:04 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Adam Radford , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org (open list) Subject: [PATCH] scsi: 3ware: fix a missing-check bug Date: Sun, 6 May 2018 00:50:47 -0500 Message-Id: <1525585856-17639-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In twl_chrdev_ioctl(), the ioctl driver command is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'driver_command'. Then a security check is performed on the data buffer size indicated by 'driver_command', which is 'driver_command.buffer_length'. If the security check is passed, the entire ioctl command is copied again from the 'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various operations are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in userspace, a malicious userspace process can race to change the buffer size between the two copies. This way, the user can bypass the security check and inject invalid data buffer size. This can cause potential security issues in the following execution. This patch checks the buffer size obtained in the second copy. An error code -EINVAL will be returned if it is not same as the original one in the first copy. Signed-off-by: Wenwen Wang --- drivers/scsi/3w-sas.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/3w-sas.c b/drivers/scsi/3w-sas.c index cf9f2a0..ea41969 100644 --- a/drivers/scsi/3w-sas.c +++ b/drivers/scsi/3w-sas.c @@ -757,6 +757,11 @@ static long twl_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long /* Now copy down the entire ioctl */ if (copy_from_user(tw_ioctl, argp, driver_command.buffer_length + sizeof(TW_Ioctl_Buf_Apache) - 1)) goto out3; + if (tw_ioctl->driver_command.buffer_length != + driver_command.buffer_length) { + retval = -EINVAL; + goto out3; + } /* See which ioctl we are doing */ switch (cmd) {