lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Dec 2018 15:20:47 -0600 From: Kangjie Lu <kjlu@....edu> To: kjlu@....edu Cc: pakki001@....edu, Adaptec OEM Raid Solutions <aacraid@...rosemi.com>, "James E.J. Bottomley" <jejb@...ux.vnet.ibm.com>, "Martin K. Petersen" <martin.petersen@...cle.com>, linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH] scsi: fix a double-fetch bug in adpt_i2o_passthru user_msg[0] is a size variable, which is copied in from user space and checked. It is copied in again from user space after the check, and used in the following execution. Malicious user programs can race to change user_msg[0] between the two copies, leading to incorrect size. The fix ensures to use the checked size. Signed-off-by: Kangjie Lu <kjlu@....edu> --- drivers/scsi/dpt_i2o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c index 37de8fb186d7..93bd1d1bd5b5 100644 --- a/drivers/scsi/dpt_i2o.c +++ b/drivers/scsi/dpt_i2o.c @@ -1733,6 +1733,9 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg) if(copy_from_user(msg, user_msg, size)) { return -EFAULT; } + /* Ensure it is not changed in the second copy */ + msg[0] = size; + get_user(reply_size, &user_reply[0]); reply_size = reply_size>>16; if(reply_size > REPLY_FRAME_SIZE){ -- 2.17.2 (Apple Git-113)
Powered by blists - more mailing lists