From patchwork Tue Dec 25 20:55:09 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kangjie Lu <kjlu@umn.edu>
X-Patchwork-Id: 10742625
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0083191E
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Tue, 25 Dec 2018 20:56:04 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF72B28893
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Tue, 25 Dec 2018 20:56:04 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D33EE288B7; Tue, 25 Dec 2018 20:56:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 73BC228893
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Tue, 25 Dec 2018 20:56:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725884AbeLYUzm (ORCPT
        <rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
        Tue, 25 Dec 2018 15:55:42 -0500
Received: from mta-p7.oit.umn.edu ([134.84.196.207]:37618 "EHLO
        mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725867AbeLYUzm (ORCPT
        <rfc822;linux-scsi@vger.kernel.org>); Tue, 25 Dec 2018 15:55:42 -0500
Received: from localhost (unknown [127.0.0.1])
        by mta-p7.oit.umn.edu (Postfix) with ESMTP id 757F4A43
        for <linux-scsi@vger.kernel.org>;
 Tue, 25 Dec 2018 20:55:40 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1])
        by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new,
 port 10024)
        with ESMTP id iPS64muYrs1O for <linux-scsi@vger.kernel.org>;
        Tue, 25 Dec 2018 14:55:40 -0600 (CST)
Received: from mail-it1-f198.google.com (mail-it1-f198.google.com
 [209.85.166.198])
        (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 49B8CAA5
        for <linux-scsi@vger.kernel.org>;
 Tue, 25 Dec 2018 14:55:40 -0600 (CST)
Received: by mail-it1-f198.google.com with SMTP id x17so3686988ita.1
        for <linux-scsi@vger.kernel.org>;
 Tue, 25 Dec 2018 12:55:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=umn.edu; s=google;
        h=from:to:cc:subject:date:message-id;
        bh=FuHOuKpGz+fwN2iVXkaCpSkG9NfBhy+p6k9UTEUSGqU=;
        b=H6YtH35BlI/V3PZ55iyAmdwen5kwY3eFsnO9j5OgQHKvZ6HuED8RFNDkT0n+rNBdbp
         uRjGjl5b42nVi7ktflyWk8nKh0wBjDGCRg2HGU7zgpmXnozsEsKENs8F8g+K/2mJzcbI
         YOMeV7KceT5YIG4A+i5XCXPPOTUnobsUOt4Uigs0go1R/dsO0jxFECjXByFuvEagUePD
         JECETukDaHErs1ivXO8JZvGHEw1gy8PJH8OKapv4HUImz6POfitOXF9N6a8ZpV8s6fz0
         5c5U7uzSU86PV5TEjMlh1iKvBjM9xn+58GdHXXI093MsCmp5yp5Gn0ZalzbmwTSj9qFI
         p/4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=FuHOuKpGz+fwN2iVXkaCpSkG9NfBhy+p6k9UTEUSGqU=;
        b=Db+OOesKWnJYmoL1gun1KBrw/WEQTUbSotRsP9nkV72dmShhs+nEo7xRHBA/ejOlOq
         aY7Z39D2gQu5AgAI9OUI9Fi+301fdh8EP8UvUgGLu/YyYkx9vVsSnvoNVNvcei1cEVop
         DFhDDe9D3STLX4LPxilAthltOKGNEEC+mnnu5W+dcYBwSBDRfcUwIB2cAMe6WOpO+J4J
         3ND9Qx7CQwV5Doq0xI19Ft/PqP4xauC0/2TEaJ8YSid+X6rMnnY3gVp2dBATLNv57qC5
         qgDffTZ8WtQikTvHFQij+AtenvgKkFw+lpgwswF+FzQNoqnYpgCmiCDK6ydaHcseuSgC
         PGPw==
X-Gm-Message-State: AA+aEWYHy963cHcsMwx2z30C7bgKf+rq/XWuSZQQc3i/ojoPO/It9BTL
        PecDSzgjk+BM97ev3e/i1N+nVLiYyEhHlp1k9ukZzOAPJXxYbiaasefMv987tFUEXsqUddxHysP
        fn+ozOkJK1s0f7QVbBU/8YefFug==
X-Received: by 2002:a24:4606:: with SMTP id j6mr9591391itb.10.1545771339764;
        Tue, 25 Dec 2018 12:55:39 -0800 (PST)
X-Google-Smtp-Source: 
 ALg8bN4YpOXfPQ/gfmfoQhv5AEa9CJihpigvPuSf0UpyXCrIAuv3lC0Gpv0Xt1wFHmigQIZqdrvClg==
X-Received: by 2002:a24:4606:: with SMTP id j6mr9591379itb.10.1545771339521;
        Tue, 25 Dec 2018 12:55:39 -0800 (PST)
Received: from localhost.localdomain
 (host-173-230-104-22.mnmigsc.mn.minneapolis.us.clients.pavlovmedia.net.
 [173.230.104.22])
        by smtp.gmail.com with ESMTPSA id
 m2sm14887285iol.75.2018.12.25.12.55.37
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 25 Dec 2018 12:55:38 -0800 (PST)
From: Kangjie Lu <kjlu@umn.edu>
To: kjlu@umn.edu
Cc: pakki001@umn.edu, Kashyap Desai <kashyap.desai@broadcom.com>,
        Sumit Saxena <sumit.saxena@broadcom.com>,
        Shivasharan S <shivasharan.srikanteshwara@broadcom.com>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH] scsi: avoiding fetching signature from user space again after
 check
Date: Tue, 25 Dec 2018 14:55:09 -0600
Message-Id: <20181225205509.69618-1-kjlu@umn.edu>
X-Mailer: git-send-email 2.17.2 (Apple Git-113)
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The signature is checked so that it must be "MEGANIT". After the check,
if we fetch the signature again from user space, it may have been
modified by malicious user programs through race conditions. The fix
avoids fetching the signature again.

Signed-off-by: Kangjie Lu <kjlu@umn.edu>
---
 drivers/scsi/megaraid.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 8c7154143a4e..a2255fbd0ab6 100644
--- a/drivers/scsi/megaraid.c
+++ b/drivers/scsi/megaraid.c
@@ -3396,7 +3396,6 @@ static int
 mega_m_to_n(void __user *arg, nitioctl_t *uioc)
 {
 	struct uioctl_t	uioc_mimd;
-	char	signature[8] = {0};
 	u8	opcode;
 	u8	subopcode;
 
@@ -3408,10 +3407,10 @@ mega_m_to_n(void __user *arg, nitioctl_t *uioc)
 	 * beginning of the structure.
 	 */
 
-	if( copy_from_user(signature, arg, 7) )
+	if (copy_from_user(&uioc_mimd, arg, 7))
 		return (-EFAULT);
 
-	if( memcmp(signature, "MEGANIT", 7) == 0 ) {
+	if (memcmp(&uioc_mimd, "MEGANIT", 7) == 0) {
 
 		/*
 		 * NOTE NOTE: The nit ioctl is still under flux because of
@@ -3421,7 +3420,7 @@ mega_m_to_n(void __user *arg, nitioctl_t *uioc)
 		 */
 		return -EINVAL;
 #if 0
-		if( copy_from_user(uioc, arg, sizeof(nitioctl_t)) )
+		if (copy_from_user(uioc, arg, sizeof(nitioctl_t)))
 			return (-EFAULT);
 		return 0;
 #endif
@@ -3432,7 +3431,10 @@ mega_m_to_n(void __user *arg, nitioctl_t *uioc)
 	 *
 	 * Get the user ioctl structure
 	 */
-	if( copy_from_user(&uioc_mimd, arg, sizeof(struct uioctl_t)) )
+	if (copy_from_user((char *)&uioc_mimd + sizeof(uioc->signature),
+				arg + sizeof(uioc->signature),
+				sizeof(struct uioctl_t) -
+				sizeof(uioc->signature)))
 		return (-EFAULT);