public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Miquel Raynal <miquel.raynal@bootlin.com>,
	Richard Weinberger <richard@nod.at>,
	Vignesh Raghavendra <vigneshr@ti.com>, stable <stable@kernel.org>
Subject: [PATCH 5.8 24/38] mtd: properly check all write ioctls for permissions
Date: Mon, 10 Aug 2020 17:19:14 +0200	[thread overview]
Message-ID: <20200810151805.080238265@linuxfoundation.org> (raw)
In-Reply-To: <20200810151803.920113428@linuxfoundation.org>

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream.

When doing a "write" ioctl call, properly check that we have permissions
to do so before copying anything from userspace or anything else so we
can "fail fast".  This includes also covering the MEMWRITE ioctl which
previously missed checking for this.

Cc: Miquel Raynal <miquel.raynal@bootlin.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Vignesh Raghavendra <vigneshr@ti.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[rw: Fixed locking issue]
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/mtdchar.c |   56 +++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 47 insertions(+), 9 deletions(-)

--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -355,9 +355,6 @@ static int mtdchar_writeoob(struct file
 	uint32_t retlen;
 	int ret = 0;
 
-	if (!(file->f_mode & FMODE_WRITE))
-		return -EPERM;
-
 	if (length > 4096)
 		return -EINVAL;
 
@@ -643,6 +640,48 @@ static int mtdchar_ioctl(struct file *fi
 
 	pr_debug("MTD_ioctl\n");
 
+	/*
+	 * Check the file mode to require "dangerous" commands to have write
+	 * permissions.
+	 */
+	switch (cmd) {
+	/* "safe" commands */
+	case MEMGETREGIONCOUNT:
+	case MEMGETREGIONINFO:
+	case MEMGETINFO:
+	case MEMREADOOB:
+	case MEMREADOOB64:
+	case MEMLOCK:
+	case MEMUNLOCK:
+	case MEMISLOCKED:
+	case MEMGETOOBSEL:
+	case MEMGETBADBLOCK:
+	case MEMSETBADBLOCK:
+	case OTPSELECT:
+	case OTPGETREGIONCOUNT:
+	case OTPGETREGIONINFO:
+	case OTPLOCK:
+	case ECCGETLAYOUT:
+	case ECCGETSTATS:
+	case MTDFILEMODE:
+	case BLKPG:
+	case BLKRRPART:
+		break;
+
+	/* "dangerous" commands */
+	case MEMERASE:
+	case MEMERASE64:
+	case MEMWRITEOOB:
+	case MEMWRITEOOB64:
+	case MEMWRITE:
+		if (!(file->f_mode & FMODE_WRITE))
+			return -EPERM;
+		break;
+
+	default:
+		return -ENOTTY;
+	}
+
 	switch (cmd) {
 	case MEMGETREGIONCOUNT:
 		if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int)))
@@ -690,9 +729,6 @@ static int mtdchar_ioctl(struct file *fi
 	{
 		struct erase_info *erase;
 
-		if(!(file->f_mode & FMODE_WRITE))
-			return -EPERM;
-
 		erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL);
 		if (!erase)
 			ret = -ENOMEM;
@@ -985,9 +1021,6 @@ static int mtdchar_ioctl(struct file *fi
 		ret = 0;
 		break;
 	}
-
-	default:
-		ret = -ENOTTY;
 	}
 
 	return ret;
@@ -1031,6 +1064,11 @@ static long mtdchar_compat_ioctl(struct
 		struct mtd_oob_buf32 buf;
 		struct mtd_oob_buf32 __user *buf_user = argp;
 
+		if (!(file->f_mode & FMODE_WRITE)) {
+			ret = -EPERM;
+			break;
+		}
+
 		if (copy_from_user(&buf, argp, sizeof(buf)))
 			ret = -EFAULT;
 		else



  parent reply	other threads:[~2020-08-10 15:21 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-10 15:18 [PATCH 5.8 00/38] 5.8.1-rc1 review Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 01/38] scsi: ufs: Fix and simplify setup_xfer_req variant operation Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 02/38] USB: serial: qcserial: add EM7305 QDL product ID Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 03/38] USB: iowarrior: fix up report size handling for some devices Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 04/38] usb: xhci: define IDs for various ASMedia host controllers Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 05/38] usb: xhci: Fix ASMedia ASM1142 DMA addressing Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 06/38] Revert "ALSA: hda: call runtime_allow() for all hda controllers" Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 07/38] ALSA: hda/realtek: Add alc269/alc662 pin-tables for Loongson-3 laptops Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 08/38] ALSA: hda/ca0132 - Add new quirk ID for Recon3D Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 09/38] ALSA: hda/ca0132 - Fix ZxR Headphone gain control get value Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 10/38] ALSA: hda/ca0132 - Fix AE-5 microphone selection commands Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 11/38] ALSA: seq: oss: Serialize ioctls Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 12/38] staging: android: ashmem: Fix lockdep warning for write operation Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 13/38] staging: rtl8712: handle firmware load failure Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 14/38] Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 15/38] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 16/38] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 17/38] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 18/38] omapfb: dss: Fix max fclk divider for omap36xx Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 19/38] binder: Prevent context manager from incrementing ref 0 Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 20/38] Smack: fix use-after-free in smk_write_relabel_self() Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 21/38] scripts: add dummy report mode to add_namespace.cocci Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 22/38] lkdtm/heap: Avoid edge and middle of slabs Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 23/38] vgacon: Fix for missing check in scrollback handling Greg Kroah-Hartman
2020-08-10 15:19 ` Greg Kroah-Hartman [this message]
2020-08-10 15:19 ` [PATCH 5.8 25/38] leds: wm831x-status: fix use-after-free on unbind Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 26/38] leds: lm36274: " Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 27/38] leds: da903x: " Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 28/38] leds: lm3533: " Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 29/38] leds: 88pm860x: " Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 30/38] gpio: max77620: Fix missing release of interrupt Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 31/38] xattr: break delegations in {set,remove}xattr Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 32/38] Revert "powerpc/kasan: Fix shadow pages allocation failure" Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 33/38] powerpc/kasan: Fix shadow pages allocation failure Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 34/38] PCI: tegra: Revert tegra124 raw_violation_fixup Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 35/38] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 36/38] random32: move the pseudo-random 32-bit definitions to prandom.h Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 37/38] random: random.h should include archrandom.h, not the other way around Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 38/38] arm64: kaslr: Use standard early random function Greg Kroah-Hartman
2020-08-10 23:04 ` [PATCH 5.8 00/38] 5.8.1-rc1 review Shuah Khan
2020-08-11 16:19   ` Greg Kroah-Hartman
2020-08-11  6:29 ` Naresh Kamboju
2020-08-11 16:20   ` Greg Kroah-Hartman
2020-08-11 10:54 ` Puranjay Mohan
2020-08-11 14:24 ` Guenter Roeck
2020-08-11 16:20   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200810151805.080238265@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=miquel.raynal@bootlin.com \
    --cc=richard@nod.at \
    --cc=stable@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=vigneshr@ti.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox