From patchwork Tue May 8 00:46:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 10385009 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 15F8060236 for ; Tue, 8 May 2018 00:47:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EBC4E28869 for ; Tue, 8 May 2018 00:47:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DD67628BC5; Tue, 8 May 2018 00:47:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5AD7628869 for ; Tue, 8 May 2018 00:47:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753749AbeEHArN (ORCPT ); Mon, 7 May 2018 20:47:13 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:37492 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752954AbeEHArM (ORCPT ); Mon, 7 May 2018 20:47:12 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 3C788A89 for ; Tue, 8 May 2018 00:47:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67b9Aql7nq_L for ; Mon, 7 May 2018 19:47:12 -0500 (CDT) Received: from mail-io0-f197.google.com (mail-io0-f197.google.com [209.85.223.197]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 15583A87 for ; Mon, 7 May 2018 19:47:12 -0500 (CDT) Received: by mail-io0-f197.google.com with SMTP id w18-v6so29379286ioe.3 for ; Mon, 07 May 2018 17:47:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=zihNzqqECq9JWL4HbEakt27Z+FBl99HrlbkMnAavbJo=; b=hxzIT5Ud3sfLBRTPQYpufwgCBTxYx9Qi9/2ZLTrlf089IILHSN/MnVmkwuofQVydrW ga7fTk6Q7lyezT/DiPitesxo2Lb+nIuykA9LwEMywZBSwOA75zJrH5YCs5jGOEsEVThQ qZ7ug0A4sh+DqhO3sRu40zxn8UugJkoGPBYKRxxi+8EuTpJ2IKTm7WPowpiCeKVCL+Ru AvzeWaJs32KRO/uL0k+AqZrRqKdMggyPFj8lPaPKZ7CXVAc3ORRSq1vbMeSw2GMyqLqZ RqCEiBYarHESsEhREJ5Men8mMwxM6PoKzn2JiTWrD5C7mp4TSgoXls1FE/F/3qk3HJKs ESEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=zihNzqqECq9JWL4HbEakt27Z+FBl99HrlbkMnAavbJo=; b=JIAtriwdfQsMD7BrMYN9aDZfon5J9DD17/TxvnysH81YNxjxcebgen/URgvfsxs4HG 9jo2K/WZ6XfUhnZF9uWKBiPaLrMCxHkonI83AlJl1d75/SU0aRfITp9518pZ5vHR2ZE4 DuUN90e/krC2QOXEAr7lbzAt97PmTD9bl0MqmwvR9d1adoPq876GBwZjfchnk4kKalzh TCv1Er2C2Vqb9YzJi1zp2W/RjhJY0ukblcumJyxDYwq4JvU88qu399Uwzpomb7UQGuJR FYkTbYeI5Z9TSNCt6S18BzxXsOrLyiKFlhvlkwcfHIQgRgqPG5nVWDIG1ue29CWRpkR3 XGiA== X-Gm-Message-State: ALQs6tCz7uJGf3Kh58luXmWutOpufJD7NTeQ3wNycyBsDKv0l9nh0o12 0y/YmOPMpapHwlOUQ1ENnZavduxZJcQwYEEa97e1uA0AdS2kJ7Wf4DS1mkqrrYw/pXOEgt1/5ek JzINZyL0UkCy99JPhCqSs8GkHZg== X-Received: by 2002:a24:7512:: with SMTP id y18-v6mr4293945itc.31.1525740431715; Mon, 07 May 2018 17:47:11 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqVekJkmyaDTv34X0ft4EpzjavN+E7e5hCyewvGmvhYJwDrutp2JLY910uSd+nb6/KBDyh1NA== X-Received: by 2002:a24:7512:: with SMTP id y18-v6mr4293933itc.31.1525740431437; Mon, 07 May 2018 17:47:11 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id e1-v6sm4893834ita.23.2018.05.07.17.47.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 07 May 2018 17:47:10 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Adam Radford , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2] scsi: 3w-9xxx: fix a missing-check bug Date: Mon, 7 May 2018 19:46:43 -0500 Message-Id: <1525740413-23443-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'driver_command'. Then a security check is performed on the data buffer size indicated by 'driver_command', which is 'driver_command.buffer_length'. If the security check is passed, the entire ioctl command is copied again from the 'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various operations are performed on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer resides in userspace, a malicious userspace process can race to change the buffer size between the two copies. This way, the user can bypass the security check and inject invalid data buffer size. This can cause potential security issues in the following execution. This patch checks for capable(CAP_SYS_ADMIN) in twa_chrdev_open()t o avoid the above issues. Signed-off-by: Wenwen Wang Acked-by: Adam Radford --- drivers/scsi/3w-9xxx.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c index b42c9c4..99ba4a7 100644 --- a/drivers/scsi/3w-9xxx.c +++ b/drivers/scsi/3w-9xxx.c @@ -882,6 +882,11 @@ static int twa_chrdev_open(struct inode *inode, struct file *file) unsigned int minor_number; int retval = TW_IOCTL_ERROR_OS_ENODEV; + if (!capable(CAP_SYS_ADMIN)) { + retval = -EACCES; + goto out; + } + minor_number = iminor(inode); if (minor_number >= twa_device_extension_count) goto out;