* [PATCH] scsi: megaraid_sas: fix a missing-check bug
@ 2018-10-06 18:34 ` Wenwen Wang
0 siblings, 0 replies; 8+ messages in thread
From: Wenwen Wang @ 2018-10-06 18:34 UTC (permalink / raw)
To: Wenwen Wang
Cc: Kangjie Lu, Kashyap Desai, Sumit Saxena, Shivasharan S,
James E.J. Bottomley, Martin K. Petersen,
open list:MEGARAID SCSI/SAS DRIVERS,
open list:MEGARAID SCSI/SAS DRIVERS, open list
In megasas_mgmt_compat_ioctl_fw(), to handle the structure
compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the
packet. Since the two data structures have different fields, the data is
copied from 'cioc' to 'ioc' field by field. In the copy process,
'sense_ptr' is prepared if the field 'sense_len' is not null, because it
will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved
to kernel-space variables 'local_sense_off' and 'user_sense_off'
respectively. Given that 'ioc->sense_off' is also copied from
'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
same value. However, 'cioc' is in the user space and a malicious user can
race to change the value of 'cioc->sense_off' after it is copied to
'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so,
the attacker can inject different values into 'local_sense_off' and
'user_sense_off'. This can cause undefined behavior in the following
execution, because the two variables are supposed to be same.
This patch enforces a check on the two kernel variables 'local_sense_off'
and 'user_sense_off' to make sure they are the same after the copy. In case
they are not, an error code EINVAL will be returned.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 9aa9590..f6de752 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -7523,6 +7523,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
get_user(user_sense_off, &cioc->sense_off))
return -EFAULT;
+ if (local_sense_off != user_sense_off)
+ return -EINVAL;
+
if (local_sense_len) {
void __user **sense_ioc_ptr =
(void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off);
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH] scsi: megaraid_sas: fix a missing-check bug
@ 2018-10-06 18:34 ` Wenwen Wang
0 siblings, 0 replies; 8+ messages in thread
From: Wenwen Wang @ 2018-10-06 18:34 UTC (permalink / raw)
To: Wenwen Wang
Cc: Kangjie Lu, Kashyap Desai, Sumit Saxena, Shivasharan S,
James E.J. Bottomley, Martin K. Petersen,
open list:MEGARAID SCSI/SAS DRIVERS,
open list:MEGARAID SCSI/SAS DRIVERS, open list
In megasas_mgmt_compat_ioctl_fw(), to handle the structure
compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the
packet. Since the two data structures have different fields, the data is
copied from 'cioc' to 'ioc' field by field. In the copy process,
'sense_ptr' is prepared if the field 'sense_len' is not null, because it
will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved
to kernel-space variables 'local_sense_off' and 'user_sense_off'
respectively. Given that 'ioc->sense_off' is also copied from
'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
same value. However, 'cioc' is in the user space and a malicious user can
race to change the value of 'cioc->sense_off' after it is copied to
'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so,
the attacker can inject different values into 'local_sense_off' and
'user_sense_off'. This can cause undefined behavior in the following
execution, because the two variables are supposed to be same.
This patch enforces a check on the two kernel variables 'local_sense_off'
and 'user_sense_off' to make sure they are the same after the copy. In case
they are not, an error code EINVAL will be returned.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 9aa9590..f6de752 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -7523,6 +7523,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
get_user(user_sense_off, &cioc->sense_off))
return -EFAULT;
+ if (local_sense_off != user_sense_off)
+ return -EINVAL;
+
if (local_sense_len) {
void __user **sense_ioc_ptr =
(void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off);
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: megaraid_sas: fix a missing-check bug
2018-10-06 18:34 ` Wenwen Wang
@ 2018-10-16 3:43 ` Martin K. Petersen
-1 siblings, 0 replies; 8+ messages in thread
From: Martin K. Petersen @ 2018-10-16 3:43 UTC (permalink / raw)
To: Wenwen Wang
Cc: Kangjie Lu, Kashyap Desai, Sumit Saxena, Shivasharan S,
James E.J. Bottomley, Martin K. Petersen,
open list:MEGARAID SCSI/SAS DRIVERS,
open list:MEGARAID SCSI/SAS DRIVERS, open list
Wenwen,
> In megasas_mgmt_compat_ioctl_fw(), to handle the structure
> compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
> 'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the
> packet. Since the two data structures have different fields, the data is
> copied from 'cioc' to 'ioc' field by field. In the copy process,
> 'sense_ptr' is prepared if the field 'sense_len' is not null, because it
> will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
> user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved
> to kernel-space variables 'local_sense_off' and 'user_sense_off'
> respectively. Given that 'ioc->sense_off' is also copied from
> 'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
> same value. However, 'cioc' is in the user space and a malicious user can
> race to change the value of 'cioc->sense_off' after it is copied to
> 'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so,
> the attacker can inject different values into 'local_sense_off' and
> 'user_sense_off'. This can cause undefined behavior in the following
> execution, because the two variables are supposed to be same.
>
> This patch enforces a check on the two kernel variables 'local_sense_off'
> and 'user_sense_off' to make sure they are the same after the copy. In case
> they are not, an error code EINVAL will be returned.
Broadcom folks: Please review!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: megaraid_sas: fix a missing-check bug
@ 2018-10-16 3:43 ` Martin K. Petersen
0 siblings, 0 replies; 8+ messages in thread
From: Martin K. Petersen @ 2018-10-16 3:43 UTC (permalink / raw)
To: Wenwen Wang
Cc: Kangjie Lu, Kashyap Desai, Sumit Saxena, Shivasharan S,
James E.J. Bottomley, Martin K. Petersen,
open list:MEGARAID SCSI/SAS DRIVERS,
open list:MEGARAID SCSI/SAS DRIVERS, open list
Wenwen,
> In megasas_mgmt_compat_ioctl_fw(), to handle the structure
> compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
> 'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the
> packet. Since the two data structures have different fields, the data is
> copied from 'cioc' to 'ioc' field by field. In the copy process,
> 'sense_ptr' is prepared if the field 'sense_len' is not null, because it
> will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
> user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved
> to kernel-space variables 'local_sense_off' and 'user_sense_off'
> respectively. Given that 'ioc->sense_off' is also copied from
> 'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
> same value. However, 'cioc' is in the user space and a malicious user can
> race to change the value of 'cioc->sense_off' after it is copied to
> 'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so,
> the attacker can inject different values into 'local_sense_off' and
> 'user_sense_off'. This can cause undefined behavior in the following
> execution, because the two variables are supposed to be same.
>
> This patch enforces a check on the two kernel variables 'local_sense_off'
> and 'user_sense_off' to make sure they are the same after the copy. In case
> they are not, an error code EINVAL will be returned.
Broadcom folks: Please review!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: megaraid_sas: fix a missing-check bug
2018-10-06 18:34 ` Wenwen Wang
@ 2018-10-16 11:56 ` Sumit Saxena
-1 siblings, 0 replies; 8+ messages in thread
From: Sumit Saxena @ 2018-10-16 11:56 UTC (permalink / raw)
To: wang6495
Cc: kjlu, Kashyap Desai, Shivasharan Srikanteshwara,
James E. J. Bottomley, Martin K. Petersen, PDL,MEGARAIDLINUX,
Linux SCSI List, LKML
On Sun, Oct 7, 2018 at 12:04 AM Wenwen Wang <wang6495@umn.edu> wrote:
>
> In megasas_mgmt_compat_ioctl_fw(), to handle the structure
> compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
> 'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the
> packet. Since the two data structures have different fields, the data is
> copied from 'cioc' to 'ioc' field by field. In the copy process,
> 'sense_ptr' is prepared if the field 'sense_len' is not null, because it
> will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
> user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved
> to kernel-space variables 'local_sense_off' and 'user_sense_off'
> respectively. Given that 'ioc->sense_off' is also copied from
> 'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
> same value. However, 'cioc' is in the user space and a malicious user can
> race to change the value of 'cioc->sense_off' after it is copied to
> 'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so,
> the attacker can inject different values into 'local_sense_off' and
> 'user_sense_off'. This can cause undefined behavior in the following
> execution, because the two variables are supposed to be same.
>
> This patch enforces a check on the two kernel variables 'local_sense_off'
> and 'user_sense_off' to make sure they are the same after the copy. In case
> they are not, an error code EINVAL will be returned.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
> drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
> index 9aa9590..f6de752 100644
> --- a/drivers/scsi/megaraid/megaraid_sas_base.c
> +++ b/drivers/scsi/megaraid/megaraid_sas_base.c
> @@ -7523,6 +7523,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
> get_user(user_sense_off, &cioc->sense_off))
> return -EFAULT;
>
> + if (local_sense_off != user_sense_off)
> + return -EINVAL;
> +
> if (local_sense_len) {
> void __user **sense_ioc_ptr =
> (void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off);
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: megaraid_sas: fix a missing-check bug
@ 2018-10-16 11:56 ` Sumit Saxena
0 siblings, 0 replies; 8+ messages in thread
From: Sumit Saxena @ 2018-10-16 11:56 UTC (permalink / raw)
To: wang6495
Cc: kjlu, Kashyap Desai, Shivasharan Srikanteshwara,
James E. J. Bottomley, Martin K. Petersen, PDL,MEGARAIDLINUX,
Linux SCSI List, LKML
On Sun, Oct 7, 2018 at 12:04 AM Wenwen Wang <wang6495@umn.edu> wrote:
>
> In megasas_mgmt_compat_ioctl_fw(), to handle the structure
> compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
> 'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the
> packet. Since the two data structures have different fields, the data is
> copied from 'cioc' to 'ioc' field by field. In the copy process,
> 'sense_ptr' is prepared if the field 'sense_len' is not null, because it
> will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
> user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved
> to kernel-space variables 'local_sense_off' and 'user_sense_off'
> respectively. Given that 'ioc->sense_off' is also copied from
> 'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
> same value. However, 'cioc' is in the user space and a malicious user can
> race to change the value of 'cioc->sense_off' after it is copied to
> 'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so,
> the attacker can inject different values into 'local_sense_off' and
> 'user_sense_off'. This can cause undefined behavior in the following
> execution, because the two variables are supposed to be same.
>
> This patch enforces a check on the two kernel variables 'local_sense_off'
> and 'user_sense_off' to make sure they are the same after the copy. In case
> they are not, an error code EINVAL will be returned.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
> drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
> index 9aa9590..f6de752 100644
> --- a/drivers/scsi/megaraid/megaraid_sas_base.c
> +++ b/drivers/scsi/megaraid/megaraid_sas_base.c
> @@ -7523,6 +7523,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
> get_user(user_sense_off, &cioc->sense_off))
> return -EFAULT;
>
> + if (local_sense_off != user_sense_off)
> + return -EINVAL;
> +
> if (local_sense_len) {
> void __user **sense_ioc_ptr =
> (void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off);
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: megaraid_sas: fix a missing-check bug
2018-10-06 18:34 ` Wenwen Wang
@ 2018-10-16 21:56 ` Martin K. Petersen
-1 siblings, 0 replies; 8+ messages in thread
From: Martin K. Petersen @ 2018-10-16 21:56 UTC (permalink / raw)
To: Wenwen Wang
Cc: Kangjie Lu, Kashyap Desai, Sumit Saxena, Shivasharan S,
James E.J. Bottomley, Martin K. Petersen,
open list:MEGARAID SCSI/SAS DRIVERS,
open list:MEGARAID SCSI/SAS DRIVERS, open list
Wenwen,
> This patch enforces a check on the two kernel variables 'local_sense_off'
> and 'user_sense_off' to make sure they are the same after the copy. In case
> they are not, an error code EINVAL will be returned.
Applied to 4.20/scsi-queue, thank you!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: megaraid_sas: fix a missing-check bug
@ 2018-10-16 21:56 ` Martin K. Petersen
0 siblings, 0 replies; 8+ messages in thread
From: Martin K. Petersen @ 2018-10-16 21:56 UTC (permalink / raw)
To: Wenwen Wang
Cc: Kangjie Lu, Kashyap Desai, Sumit Saxena, Shivasharan S,
James E.J. Bottomley, Martin K. Petersen,
open list:MEGARAID SCSI/SAS DRIVERS,
open list:MEGARAID SCSI/SAS DRIVERS, open list
Wenwen,
> This patch enforces a check on the two kernel variables 'local_sense_off'
> and 'user_sense_off' to make sure they are the same after the copy. In case
> they are not, an error code EINVAL will be returned.
Applied to 4.20/scsi-queue, thank you!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-10-16 21:56 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-06 18:34 [PATCH] scsi: megaraid_sas: fix a missing-check bug Wenwen Wang
2018-10-06 18:34 ` Wenwen Wang
2018-10-16 3:43 ` Martin K. Petersen
2018-10-16 3:43 ` Martin K. Petersen
2018-10-16 11:56 ` Sumit Saxena
2018-10-16 11:56 ` Sumit Saxena
2018-10-16 21:56 ` Martin K. Petersen
2018-10-16 21:56 ` Martin K. Petersen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.