From: "Martin K. Petersen" <martin.petersen@oracle.com>
To: Gen Zhang <blackgod016574@gmail.com>
Cc: sathya.prakash@broadcom.com, chaitra.basappa@broadcom.com,
jejb@linux.ibm.com, martin.petersen@oracle.com,
suganath-prabu.subramani@broadcom.com,
MPT-FusionLinux.pdl@broadcom.com, linux-scsi@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main()
Date: Wed, 29 May 2019 22:22:03 -0400 [thread overview]
Message-ID: <yq1ef4gy94k.fsf@oracle.com> (raw)
In-Reply-To: <20190530011030.GA6314@zhanggen-UX430UQ> (Gen Zhang's message of "Thu, 30 May 2019 09:10:30 +0800")
Gen,
> In _ctl_ioctl_main(), 'ioctl_header' is fetched the first time from
> userspace. 'ioctl_header.ioc_number' is then checked. The legal result
> is saved to 'ioc'. Then, in condition MPT3COMMAND, the whole struct is
> fetched again from the userspace. Then _ctl_do_mpt_command() is called,
> 'ioc' and 'karg' as inputs.
>
> However, a malicious user can change the 'ioc_number' between the two
> fetches, which will cause a potential security issues. Moreover, a
> malicious user can provide a valid 'ioc_number' to pass the check in
> first fetch, and then modify it in the second fetch.
>
> To fix this, we need to recheck the 'ioc_number' in the second fetch.
Applied to 5.3/scsi-queue, thanks.
--
Martin K. Petersen Oracle Linux Engineering
next prev parent reply other threads:[~2019-05-30 2:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-30 1:10 [PATCH] mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main() Gen Zhang
2019-05-30 2:22 ` Martin K. Petersen [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-05-27 0:57 Gen Zhang
2019-05-28 6:14 ` Suganath Prabu Subramani
2019-05-28 7:05 ` Gen Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yq1ef4gy94k.fsf@oracle.com \
--to=martin.petersen@oracle.com \
--cc=MPT-FusionLinux.pdl@broadcom.com \
--cc=blackgod016574@gmail.com \
--cc=chaitra.basappa@broadcom.com \
--cc=jejb@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=sathya.prakash@broadcom.com \
--cc=suganath-prabu.subramani@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.