From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Wenwen Wang <wang6495@umn.edu>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.4 21/32] scsi: megaraid_sas: fix a missing-check bug
Date: Wed, 31 Oct 2018 19:11:26 -0400 [thread overview]
Message-ID: <20181031231137.29429-21-sashal@kernel.org> (raw)
In-Reply-To: <20181031231137.29429-1-sashal@kernel.org>
From: Wenwen Wang <wang6495@umn.edu>
[ Upstream commit 47db7873136a9c57c45390a53b57019cf73c8259 ]
In megasas_mgmt_compat_ioctl_fw(), to handle the structure
compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle
the packet. Since the two data structures have different fields, the data
is copied from 'cioc' to 'ioc' field by field. In the copy process,
'sense_ptr' is prepared if the field 'sense_len' is not null, because it
will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and
saved to kernel-space variables 'local_sense_off' and 'user_sense_off'
respectively. Given that 'ioc->sense_off' is also copied from
'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
same value. However, 'cioc' is in the user space and a malicious user can
race to change the value of 'cioc->sense_off' after it is copied to
'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing
so, the attacker can inject different values into 'local_sense_off' and
'user_sense_off'. This can cause undefined behavior in the following
execution, because the two variables are supposed to be same.
This patch enforces a check on the two kernel variables 'local_sense_off'
and 'user_sense_off' to make sure they are the same after the copy. In
case they are not, an error code EINVAL will be returned.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 6835bae33ec4..ac7acd257c99 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -6510,6 +6510,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
get_user(user_sense_off, &cioc->sense_off))
return -EFAULT;
+ if (local_sense_off != user_sense_off)
+ return -EINVAL;
+
if (local_sense_len) {
void __user **sense_ioc_ptr =
(void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off);
--
2.17.1
next prev parent reply other threads:[~2018-10-31 23:11 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-31 23:11 [PATCH AUTOSEL 4.4 01/32] locking/lockdep: Fix debug_locks off performance problem Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 02/32] ataflop: fix error handling during setup Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 03/32] swim: fix cleanup on setup error Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 04/32] tun: Consistently configure generic netdev params via rtnetlink Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 05/32] perf tools: Free temporary 'sys' string in read_event_files() Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 06/32] perf tools: Cleanup trace-event-info 'tdata' leak Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 07/32] cpupower: Fix coredump on VMWare Sasha Levin
2018-11-12 10:29 ` Rafael David Tinoco
2018-11-12 13:32 ` Greg KH
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 08/32] mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 09/32] x86/olpc: Indicate that legacy PC XO-1 platform should not register RTC Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 10/32] regulator: fixed: Default enable high on DT regulators Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 11/32] Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 12/32] x86: boot: Fix EFI stub alignment Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 13/32] pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 14/32] kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 15/32] ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 16/32] pinctrl: qcom: spmi-mpp: Fix drive strength setting Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 17/32] pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 18/32] pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() " Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 19/32] ath10k: schedule hardware restart if WMI command times out Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 20/32] scsi: esp_scsi: Track residual for PIO transfers Sasha Levin
2018-10-31 23:11 ` Sasha Levin [this message]
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 22/32] tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 23/32] Drivers: hv: kvp: Fix two "this statement may fall through" warnings Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 24/32] ext4: fix argument checking in EXT4_IOC_MOVE_EXT Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 25/32] MD: fix invalid stored role for a disk Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 26/32] usb: chipidea: Prevent unbalanced IRQ disable Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 27/32] driver/dma/ioat: Call del_timer_sync() without holding prep_lock Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 28/32] uio: ensure class is registered before devices Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 29/32] scsi: lpfc: Correct soft lockup when running mds diagnostics Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 30/32] signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 31/32] dmaengine: dma-jz4780: Return error if not probed from DT Sasha Levin
2018-10-31 23:11 ` [PATCH AUTOSEL 4.4 32/32] ALSA: hda: Check the non-cached stream buffers more explicitly Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181031231137.29429-21-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
--cc=wang6495@umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox