From: Christoph Hellwig <hch@lst.de>
To: Arnd Bergmann <arnd@kernel.org>
Cc: Kashyap Desai <kashyap.desai@broadcom.com>,
Sumit Saxena <sumit.saxena@broadcom.com>,
Shivasharan S <shivasharan.srikanteshwara@broadcom.com>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Arnd Bergmann <arnd@arndb.de>,
stable@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
Anand Lodnoor <anand.lodnoor@broadcom.com>,
Hannes Reinecke <hare@suse.de>,
megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 2/3] scsi: megaraid_sas: check user-provided offsets
Date: Tue, 3 Nov 2020 09:55:48 +0100 [thread overview]
Message-ID: <20201103085548.GB14092@lst.de> (raw)
In-Reply-To: <20201030164450.1253641-2-arnd@kernel.org>
On Fri, Oct 30, 2020 at 05:44:20PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> It sounds unwise to let user space pass an unchecked 32-bit
> offset into a kernel structure in an ioctl. This is an unsigned
> variable, so checking the upper bound for the size of the structure
> it points into is sufficient to avoid data corruption, but as
> the pointer might also be unaligned, it has to be written carefully
> as well.
>
> While I stumbled over this problem by reading the code, I did not
> continue checking the function for further problems like it.
>
> Cc: <stable@vger.kernel.org> # v2.6.15+
> Fixes: c4a3e0a529ab ("[SCSI] MegaRAID SAS RAID: new driver")
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> drivers/scsi/megaraid/megaraid_sas_base.c | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
> index 41cd66fc7d81..b1b9a8823c8c 100644
> --- a/drivers/scsi/megaraid/megaraid_sas_base.c
> +++ b/drivers/scsi/megaraid/megaraid_sas_base.c
> @@ -8134,7 +8134,7 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
> int error = 0, i;
> void *sense = NULL;
> dma_addr_t sense_handle;
> - unsigned long *sense_ptr;
> + void *sense_ptr;
> u32 opcode = 0;
> int ret = DCMD_SUCCESS;
>
> @@ -8257,6 +8257,12 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
> }
>
> if (ioc->sense_len) {
> + /* make sure the pointer is part of the frame */
> + if (ioc->sense_off > (sizeof(union megasas_frame) - sizeof(__le64))) {
> + error = -EINVAL;
This still has the overly long line.
next prev parent reply other threads:[~2020-11-03 8:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-30 16:44 [PATCH v3 1/3] scsi: aacraid: improve compat_ioctl handlers Arnd Bergmann
2020-10-30 16:44 ` [PATCH v3 2/3] scsi: megaraid_sas: check user-provided offsets Arnd Bergmann
2020-11-03 8:55 ` Christoph Hellwig [this message]
2020-10-30 16:44 ` [PATCH v3 3/3] scsi: megaraid_sas: simplify compat_ioctl handling Arnd Bergmann
2020-11-05 2:56 ` [PATCH v3 1/3] scsi: aacraid: improve compat_ioctl handlers Martin K. Petersen
2020-11-11 2:58 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201103085548.GB14092@lst.de \
--to=hch@lst.de \
--cc=anand.lodnoor@broadcom.com \
--cc=arnd@arndb.de \
--cc=arnd@kernel.org \
--cc=hare@suse.de \
--cc=jejb@linux.ibm.com \
--cc=kashyap.desai@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=megaraidlinux.pdl@broadcom.com \
--cc=shivasharan.srikanteshwara@broadcom.com \
--cc=stable@vger.kernel.org \
--cc=sumit.saxena@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.