From patchwork Thu Oct 15 08:10:54 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sumit Saxena X-Patchwork-Id: 7403841 Return-Path: X-Original-To: patchwork-linux-scsi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 83E61BF90C for ; Thu, 15 Oct 2015 08:21:41 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id AF05E20138 for ; Thu, 15 Oct 2015 08:21:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CC14620852 for ; Thu, 15 Oct 2015 08:21:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751968AbbJOIVi (ORCPT ); Thu, 15 Oct 2015 04:21:38 -0400 Received: from rndsmtp2.avagotech.com ([199.3.246.48]:42988 "EHLO rndsmtp2.avagotech.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750852AbbJOIUi (ORCPT ); Thu, 15 Oct 2015 04:20:38 -0400 Received: from casmh001.sjs.avagotech.net (casmh001.sjs.avagotech.net [135.141.8.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rndsmtp2.avagotech.com (Postfix) with ESMTPS id 2B8AC120013; Thu, 15 Oct 2015 01:11:22 -0700 (PDT) Received: from palmhbs0.lsi.com (palmhbs0.lsi.com [128.94.222.181]) by casmh001.sjs.avagotech.net (8.14.4/8.14.4) with ESMTP id t9F8BK41004901; Thu, 15 Oct 2015 01:11:21 -0700 Received: from localhost (dhcp-135-24-192-102.lsi.com [135.24.192.102]) by palmhbs0.lsi.com (8.13.8/8.12.11) with ESMTP id t9F8IDfb029670; Thu, 15 Oct 2015 04:18:13 -0400 From: sumit.saxena@avagotech.com Message-Id: <201510150818.t9F8IDfb029670@palmhbs0.lsi.com> Date: Thu, 15 Oct 2015 13:40:54 +0530 To: linux-scsi@vger.kernel.org, stable@vger.kernel.org, thenzl@redhat.com, martin.petersen@oracle.com, hch@infradead.org, jbottomley@parallels.com, kashyap.desai@avagotech.com, sumit.saxena@avagotech.com, kiran-kumar.kasturi@avagotech.com Subject: [PATCH 10/12] megaraid_sas : SMAP restriction-do not access user memory from IOCTL code Cc: uday.lingala@avagotech.com User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This is an issue on SMAP enabled CPUs and 32 bit apps running on 64 bit OS. Donot access user memory from kernel code. SMAP bit restricts to access user memory from kernel code. Corresponding Redhat Bugzilla id for this is:[Bug 1267911]. Cc: Signed-off-by: Sumit Saxena Signed-off-by: Kashyap Desai Reviewed-by: Tomas Henzl --- drivers/scsi/megaraid/megaraid_sas_base.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c index c74d7c5..f8d5455 100644 --- a/drivers/scsi/megaraid/megaraid_sas_base.c +++ b/drivers/scsi/megaraid/megaraid_sas_base.c @@ -6470,6 +6470,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg) int i; int error = 0; compat_uptr_t ptr; + unsigned long local_raw_ptr; + u32 local_sense_off; + u32 local_sense_len; if (clear_user(ioc, sizeof(*ioc))) return -EFAULT; @@ -6487,9 +6490,15 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg) * sense_len is not null, so prepare the 64bit value under * the same condition. */ - if (ioc->sense_len) { + if (get_user(local_raw_ptr, ioc->frame.raw) || + get_user(local_sense_off, &ioc->sense_off) || + get_user(local_sense_len, &ioc->sense_len)) + return -EFAULT; + + + if (local_sense_len) { void __user **sense_ioc_ptr = - (void __user **)(ioc->frame.raw + ioc->sense_off); + (void __user **)((u8*)local_raw_ptr + local_sense_off); compat_uptr_t *sense_cioc_ptr = (compat_uptr_t *)(cioc->frame.raw + cioc->sense_off); if (get_user(ptr, sense_cioc_ptr) ||