[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <7e727b1a-88e5-7062-159e-bf4be110d168@interlog.com>
Date: Tue, 25 Dec 2018 22:42:52 -0500
From: Douglas Gilbert <dgilbert@...erlog.com>
To: Kangjie Lu <kjlu@....edu>
Cc: pakki001@....edu, "James E.J. Bottomley" <jejb@...ux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] scsi: fix a double-fetch bug in sg_write
On 2018-12-25 3:24 p.m., Kangjie Lu wrote:
> "opcode" has been copied in from user space and checked. We should not
> copy it in again, which may have been modified by malicous
> multi-threading user programs through race conditions. The fix uses the
> opcode fetched in the first copy.
>
> Signed-off-by: Kangjie Lu <kjlu@....edu>
Acked-by: Douglas Gilbert <dgilbert@...erlog.com>
Also applied to my sg v4 driver code. The v1 and v2 interfaces (based on
struct sg_header) did not provide a command length field. The sg driver
needed to read the first byte of the command (the "opcode") to determine
the full command's length prior to actually reading it in full.
Hard to think of an example of an exploit based on this double read.
> ---
> drivers/scsi/sg.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index 4dacbfffd113..41774e4f9508 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -686,7 +686,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
> hp->flags = input_size; /* structure abuse ... */
> hp->pack_id = old_hdr.pack_id;
> hp->usr_ptr = NULL;
> - if (__copy_from_user(cmnd, buf, cmd_size))
> + cmnd[0] = opcode;
> + if (__copy_from_user(cmnd + 1, buf + 1, cmd_size - 1))
> return -EFAULT;
> /*
> * SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV,
>
Powered by blists - more mailing lists