1 |
tmb |
1329221 |
From df8157dcc213cb18f9b1c02891c8db457b0160d0 Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: Wenwen Wang <wang6495@umn.edu> |
3 |
|
|
Date: Sat, 6 Oct 2018 13:34:21 -0500 |
4 |
|
|
Subject: [PATCH 095/145] scsi: megaraid_sas: fix a missing-check bug |
5 |
|
|
|
6 |
|
|
[ Upstream commit 47db7873136a9c57c45390a53b57019cf73c8259 ] |
7 |
|
|
|
8 |
|
|
In megasas_mgmt_compat_ioctl_fw(), to handle the structure |
9 |
|
|
compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket |
10 |
|
|
'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle |
11 |
|
|
the packet. Since the two data structures have different fields, the data |
12 |
|
|
is copied from 'cioc' to 'ioc' field by field. In the copy process, |
13 |
|
|
'sense_ptr' is prepared if the field 'sense_len' is not null, because it |
14 |
|
|
will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the |
15 |
|
|
user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and |
16 |
|
|
saved to kernel-space variables 'local_sense_off' and 'user_sense_off' |
17 |
|
|
respectively. Given that 'ioc->sense_off' is also copied from |
18 |
|
|
'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the |
19 |
|
|
same value. However, 'cioc' is in the user space and a malicious user can |
20 |
|
|
race to change the value of 'cioc->sense_off' after it is copied to |
21 |
|
|
'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing |
22 |
|
|
so, the attacker can inject different values into 'local_sense_off' and |
23 |
|
|
'user_sense_off'. This can cause undefined behavior in the following |
24 |
|
|
execution, because the two variables are supposed to be same. |
25 |
|
|
|
26 |
|
|
This patch enforces a check on the two kernel variables 'local_sense_off' |
27 |
|
|
and 'user_sense_off' to make sure they are the same after the copy. In |
28 |
|
|
case they are not, an error code EINVAL will be returned. |
29 |
|
|
|
30 |
|
|
Signed-off-by: Wenwen Wang <wang6495@umn.edu> |
31 |
|
|
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com> |
32 |
|
|
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> |
33 |
|
|
Signed-off-by: Sasha Levin <sashal@kernel.org> |
34 |
|
|
--- |
35 |
|
|
drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++ |
36 |
|
|
1 file changed, 3 insertions(+) |
37 |
|
|
|
38 |
|
|
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c |
39 |
|
|
index 9aa9590c5373..f6de7526ded5 100644 |
40 |
|
|
--- a/drivers/scsi/megaraid/megaraid_sas_base.c |
41 |
|
|
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c |
42 |
|
|
@@ -7523,6 +7523,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg) |
43 |
|
|
get_user(user_sense_off, &cioc->sense_off)) |
44 |
|
|
return -EFAULT; |
45 |
|
|
|
46 |
|
|
+ if (local_sense_off != user_sense_off) |
47 |
|
|
+ return -EINVAL; |
48 |
|
|
+ |
49 |
|
|
if (local_sense_len) { |
50 |
|
|
void __user **sense_ioc_ptr = |
51 |
|
|
(void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off); |
52 |
|
|
-- |
53 |
|
|
2.19.1 |
54 |
|
|
|