| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <yq1ef4gy94k.fsf@oracle.com>
Date: Wed, 29 May 2019 22:22:03 -0400
From: "Martin K. Petersen" <martin.petersen@...cle.com>
To: Gen Zhang <blackgod016574@...il.com>
Cc: sathya.prakash@...adcom.com, chaitra.basappa@...adcom.com,
jejb@...ux.ibm.com, martin.petersen@...cle.com,
suganath-prabu.subramani@...adcom.com,
MPT-FusionLinux.pdl@...adcom.com, linux-scsi@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main()
Gen,
> In _ctl_ioctl_main(), 'ioctl_header' is fetched the first time from
> userspace. 'ioctl_header.ioc_number' is then checked. The legal result
> is saved to 'ioc'. Then, in condition MPT3COMMAND, the whole struct is
> fetched again from the userspace. Then _ctl_do_mpt_command() is called,
> 'ioc' and 'karg' as inputs.
>
> However, a malicious user can change the 'ioc_number' between the two
> fetches, which will cause a potential security issues. Moreover, a
> malicious user can provide a valid 'ioc_number' to pass the check in
> first fetch, and then modify it in the second fetch.
>
> To fix this, we need to recheck the 'ioc_number' in the second fetch.
Applied to 5.3/scsi-queue, thanks.
--
Martin K. Petersen Oracle Linux Engineering
Powered by blists - more mailing lists