• Wenwen Wang's avatar
    scsi: megaraid_sas: fix a missing-check bug · 47db7873
    Wenwen Wang authored
    In megasas_mgmt_compat_ioctl_fw(), to handle the structure
    compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
    'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle
    the packet. Since the two data structures have different fields, the data
    is copied from 'cioc' to 'ioc' field by field. In the copy process,
    'sense_ptr' is prepared if the field 'sense_len' is not null, because it
    will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
    user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and
    saved to kernel-space variables 'local_sense_off' and 'user_sense_off'
    respectively. Given that 'ioc->sense_off' is also copied from
    'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
    same value. However, 'cioc' is in the user space and a malicious user can
    race to change the value of 'cioc->sense_off' after it is copied to
    'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing
    so, the attacker can inject different values into 'local_sense_off' and
    'user_sense_off'. This can cause undefined behavior in the following
    execution, because the two variables are supposed to be same.
    
    This patch enforces a check on the two kernel variables 'local_sense_off'
    and 'user_sense_off' to make sure they are the same after the copy. In
    case they are not, an error code EINVAL will be returned.
    Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
    Acked-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
    Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
    47db7873
megaraid_sas_base.c 214 KB