• Wenwen Wang's avatar
    scsi: 3w-xxxx: fix a missing-check bug · 9899e4d3
    Wenwen Wang authored
    In tw_chrdev_ioctl(), the length of the data buffer is firstly copied
    from the userspace pointer 'argp' and saved to the kernel object
    'data_buffer_length'. Then a security check is performed on it to make
    sure that the length is not more than 'TW_MAX_IOCTL_SECTORS *
    512'. Otherwise, an error code -EINVAL is returned. If the security
    check is passed, the entire ioctl command is copied again from the
    'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various
    operations are performed on 'tw_ioctl' according to the 'cmd'. Given
    that the 'argp' pointer resides in userspace, a malicious userspace
    process can race to change the buffer length between the two
    copies. This way, the user can bypass the security check and inject
    invalid data buffer length. This can cause potential security issues in
    the following execution.
    
    This patch checks for capable(CAP_SYS_ADMIN) in tw_chrdev_open() to
    avoid the above issues.
    Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
    Acked-by: default avatarAdam Radford <aradford@gmail.com>
    Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
    9899e4d3
3w-xxxx.c 82.8 KB