From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Pengfei Wang <wpengfeinudt@gmail.com>, linux-scsi@vger.kernel.org
Subject: Re: Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c
Date: Tue, 26 Apr 2016 07:46:22 -0700 [thread overview]
Message-ID: <1461681982.2348.4.camel@HansenPartnership.com> (raw)
In-Reply-To: <CACxtibTF72YUeOnm2Rsx6odjRXybjbbGbx32-CqAu5u6ahndKg@mail.gmail.com>
On Tue, 2016-04-26 at 13:35 +0100, Pengfei Wang wrote:
> Hello,
>
> I found this Double-Fetch bug in
> Linux-4.5/drivers/scsi/aacraid/commctrl.c when I was examining the
> source code.
>
> In function ioctl_send_fib(), the driver fetches user space data by
> pointer arg via copy_from_user(), and this happens twice at line 81
> and line 116 respectively. The first fetched value (stored in kfib)
> is used to get the header and calculate the size at line 90 so as to
> copy the whole message later at line 116, which means the copy size
> of the whole message is based on the old value that came from the
> first fetch. Besides, the whole message copied in the second fetch
> also contains the header.
>
> However, when the function processes the message after the second
> fetch at line 130, it uses kfib->header.Size that came from the
> second fetch, which might be different from the one came from the
> first fetch as well as calculated the size to copy the message from
> user space to driver.
I don't actually see where there's a bug in this. If the user chooses
to alter data in-flight (quite hard to do because one thread of
execution is already tied up in the ioctl) then the consequences are
their own fault.
> If the kfib->header.Size is modified by a user thread under race
> condition between the fetch operations, for example changing to a
> very large value, this will lead to over-boundary access or other
> serious consequences in function aac_fib_send().
Our only real concern would be could an unprivileged user crash the
kernel this way and the user must have CAP_SYS_RAWIO anyway (which is
quite a high privilege capability) plus the only problem with
shortening the data would be EFAULT.
James
next prev parent reply other threads:[~2016-04-26 14:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-26 12:35 Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c Pengfei Wang
2016-04-26 14:46 ` James Bottomley [this message]
2016-04-26 16:10 ` Fwd: " Pengfei Wang
[not found] ` <56AE387A-9CCB-4524-A3FB-1DCA24D816E0@gmail.com>
2016-07-07 13:00 ` Pengfei Wang
2016-07-07 22:43 ` David Carroll
2016-07-08 9:24 ` Pengfei Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1461681982.2348.4.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=linux-scsi@vger.kernel.org \
--cc=wpengfeinudt@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).