From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Pengfei Wang <wpengfeinudt@gmail.com>, linux-scsi@vger.kernel.org
Subject: Re: Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c
Date: Tue, 26 Apr 2016 07:46:22 -0700 [thread overview]
Message-ID: <1461681982.2348.4.camel@HansenPartnership.com> (raw)
In-Reply-To: <CACxtibTF72YUeOnm2Rsx6odjRXybjbbGbx32-CqAu5u6ahndKg@mail.gmail.com>
On Tue, 2016-04-26 at 13:35 +0100, Pengfei Wang wrote:
> Hello,
>
> I found this Double-Fetch bug in
> Linux-4.5/drivers/scsi/aacraid/commctrl.c when I was examining the
> source code.
>
> In function ioctl_send_fib(), the driver fetches user space data by
> pointer arg via copy_from_user(), and this happens twice at line 81
> and line 116 respectively. The first fetched value (stored in kfib)
> is used to get the header and calculate the size at line 90 so as to
> copy the whole message later at line 116, which means the copy size
> of the whole message is based on the old value that came from the
> first fetch. Besides, the whole message copied in the second fetch
> also contains the header.
>
> However, when the function processes the message after the second
> fetch at line 130, it uses kfib->header.Size that came from the
> second fetch, which might be different from the one came from the
> first fetch as well as calculated the size to copy the message from
> user space to driver.
I don't actually see where there's a bug in this. If the user chooses
to alter data in-flight (quite hard to do because one thread of
execution is already tied up in the ioctl) then the consequences are
their own fault.
> If the kfib->header.Size is modified by a user thread under race
> condition between the fetch operations, for example changing to a
> very large value, this will lead to over-boundary access or other
> serious consequences in function aac_fib_send().
Our only real concern would be could an unprivileged user crash the
kernel this way and the user must have CAP_SYS_RAWIO anyway (which is
quite a high privilege capability) plus the only problem with
shortening the data would be EFAULT.
James
next prev parent reply other threads:[~2016-04-26 14:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-26 12:35 Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c Pengfei Wang
2016-04-26 14:46 ` James Bottomley [this message]
2016-04-26 16:10 ` Fwd: " Pengfei Wang
[not found] ` <56AE387A-9CCB-4524-A3FB-1DCA24D816E0@gmail.com>
2016-07-07 13:00 ` Pengfei Wang
2016-07-07 22:43 ` David Carroll
2016-07-08 9:24 ` Pengfei Wang
[not found] <0484FFD3-4BAB-43B9-AD56-B4A098C3E8AE@gmail.com>
2016-04-26 22:22 ` Kees Cook
2016-04-27 5:42 ` Julia Lawall
2016-04-27 8:02 ` Dan Carpenter
2016-04-27 8:07 ` Julia Lawall
2016-04-27 16:22 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1461681982.2348.4.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=linux-scsi@vger.kernel.org \
--cc=wpengfeinudt@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.