/[packages]/cauldron/kernel/current/PATCHES/patches/0095-scsi-megaraid_sas-fix-a-missing-check-bug.patch
ViewVC logotype

Annotation of /cauldron/kernel/current/PATCHES/patches/0095-scsi-megaraid_sas-fix-a-missing-check-bug.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1329221 - (hide annotations) (download)
Fri Nov 9 22:05:45 2018 UTC (5 years, 10 months ago) by tmb
File size: 2574 byte(s)
add fixes from sashas autosel queue
1 tmb 1329221 From df8157dcc213cb18f9b1c02891c8db457b0160d0 Mon Sep 17 00:00:00 2001
2     From: Wenwen Wang <wang6495@umn.edu>
3     Date: Sat, 6 Oct 2018 13:34:21 -0500
4     Subject: [PATCH 095/145] scsi: megaraid_sas: fix a missing-check bug
5    
6     [ Upstream commit 47db7873136a9c57c45390a53b57019cf73c8259 ]
7    
8     In megasas_mgmt_compat_ioctl_fw(), to handle the structure
9     compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
10     'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle
11     the packet. Since the two data structures have different fields, the data
12     is copied from 'cioc' to 'ioc' field by field. In the copy process,
13     'sense_ptr' is prepared if the field 'sense_len' is not null, because it
14     will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
15     user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and
16     saved to kernel-space variables 'local_sense_off' and 'user_sense_off'
17     respectively. Given that 'ioc->sense_off' is also copied from
18     'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
19     same value. However, 'cioc' is in the user space and a malicious user can
20     race to change the value of 'cioc->sense_off' after it is copied to
21     'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing
22     so, the attacker can inject different values into 'local_sense_off' and
23     'user_sense_off'. This can cause undefined behavior in the following
24     execution, because the two variables are supposed to be same.
25    
26     This patch enforces a check on the two kernel variables 'local_sense_off'
27     and 'user_sense_off' to make sure they are the same after the copy. In
28     case they are not, an error code EINVAL will be returned.
29    
30     Signed-off-by: Wenwen Wang <wang6495@umn.edu>
31     Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
32     Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
33     Signed-off-by: Sasha Levin <sashal@kernel.org>
34     ---
35     drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
36     1 file changed, 3 insertions(+)
37    
38     diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
39     index 9aa9590c5373..f6de7526ded5 100644
40     --- a/drivers/scsi/megaraid/megaraid_sas_base.c
41     +++ b/drivers/scsi/megaraid/megaraid_sas_base.c
42     @@ -7523,6 +7523,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
43     get_user(user_sense_off, &cioc->sense_off))
44     return -EFAULT;
45    
46     + if (local_sense_off != user_sense_off)
47     + return -EINVAL;
48     +
49     if (local_sense_len) {
50     void __user **sense_ioc_ptr =
51     (void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off);
52     --
53     2.19.1
54    

  ViewVC Help
Powered by ViewVC 1.1.30