From: Arnd Bergmann <arnd@arndb.de>
To: Kashyap Desai <kashyap.desai@broadcom.com>,
Sumit Saxena <sumit.saxena@broadcom.com>,
Shivasharan S <shivasharan.srikanteshwara@broadcom.com>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Cc: hch@infradead.org, Arnd Bergmann <arnd@arndb.de>,
stable@vger.kernel.org,
Anand Lodnoor <anand.lodnoor@broadcom.com>,
Chandrakanth Patil <chandrakanth.patil@broadcom.com>,
Hannes Reinecke <hare@suse.de>,
megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 2/3] scsi: megaraid_sas: check user-provided offsets
Date: Tue, 8 Sep 2020 23:36:22 +0200 [thread overview]
Message-ID: <20200908213715.3553098-2-arnd@arndb.de> (raw)
In-Reply-To: <20200908213715.3553098-1-arnd@arndb.de>
It sounds unwise to let user space pass an unchecked 32-bit
offset into a kernel structure in an ioctl. This is an unsigned
variable, so checking the upper bound for the size of the structure
it points into is sufficient to avoid data corruption, but as
the pointer might also be unaligned, it has to be written carefully
as well.
While I stumbled over this problem by reading the code, I did not
continue checking the function for further problems like it.
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 861f7140f52e..c3de69f3bee8 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -8095,7 +8095,7 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
int error = 0, i;
void *sense = NULL;
dma_addr_t sense_handle;
- unsigned long *sense_ptr;
+ void *sense_ptr;
u32 opcode = 0;
int ret = DCMD_SUCCESS;
@@ -8218,6 +8218,12 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
}
if (ioc->sense_len) {
+ /* make sure the pointer is part of the frame */
+ if (ioc->sense_off > (sizeof(union megasas_frame) - sizeof(__le64))) {
+ error = -EINVAL;
+ goto out;
+ }
+
sense = dma_alloc_coherent(&instance->pdev->dev, ioc->sense_len,
&sense_handle, GFP_KERNEL);
if (!sense) {
@@ -8225,12 +8231,11 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
goto out;
}
- sense_ptr =
- (unsigned long *) ((unsigned long)cmd->frame + ioc->sense_off);
+ sense_ptr = (void *)cmd->frame + ioc->sense_off;
if (instance->consistent_mask_64bit)
- *sense_ptr = cpu_to_le64(sense_handle);
+ put_unaligned_le64(sense_handle, sense_ptr);
else
- *sense_ptr = cpu_to_le32(sense_handle);
+ put_unaligned_le32(sense_handle, sense_ptr);
}
/*
--
2.27.0
next prev parent reply other threads:[~2020-09-08 21:38 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-08 21:36 [PATCH 1/3] scsi: aacraid: improve compat_ioctl handlers Arnd Bergmann
2020-09-08 21:36 ` Arnd Bergmann [this message]
2020-09-12 7:20 ` [PATCH 2/3] scsi: megaraid_sas: check user-provided offsets Christoph Hellwig
2020-09-12 17:03 ` Arnd Bergmann
2020-12-31 0:15 ` Phil Oester
2021-01-03 16:26 ` Arnd Bergmann
2021-01-03 17:00 ` James Bottomley
2021-01-03 18:49 ` Arnd Bergmann
2021-01-03 20:12 ` James Bottomley
2021-01-04 17:48 ` Phil Oester
2021-01-04 22:24 ` Arnd Bergmann
2020-09-08 21:36 ` [PATCH 3/3] scsi: megaraid_sas: simplify compat_ioctl handling Arnd Bergmann
2020-09-12 7:47 ` Christoph Hellwig
2020-09-12 12:49 ` Arnd Bergmann
2020-09-13 6:50 ` compat_alloc_user_space removal, was " Christoph Hellwig
2020-09-13 11:46 ` Arnd Bergmann
2020-09-17 14:55 ` Arnd Bergmann
2020-09-17 14:57 ` Christoph Hellwig
2020-09-12 7:09 ` [PATCH 1/3] scsi: aacraid: improve compat_ioctl handlers Christoph Hellwig
2020-09-17 15:02 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200908213715.3553098-2-arnd@arndb.de \
--to=arnd@arndb.de \
--cc=anand.lodnoor@broadcom.com \
--cc=chandrakanth.patil@broadcom.com \
--cc=hare@suse.de \
--cc=hch@infradead.org \
--cc=jejb@linux.ibm.com \
--cc=kashyap.desai@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=megaraidlinux.pdl@broadcom.com \
--cc=shivasharan.srikanteshwara@broadcom.com \
--cc=stable@vger.kernel.org \
--cc=sumit.saxena@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox