• Wenwen Wang's avatar
    scsi: 3w-9xxx: fix a missing-check bug · 092b0288
    Wenwen Wang authored
    [ Upstream commit c9318a3e ]
    
    In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from
    the userspace pointer 'argp' and saved to the kernel object
    'driver_command'.  Then a security check is performed on the data buffer
    size indicated by 'driver_command', which is
    'driver_command.buffer_length'. If the security check is passed, the
    entire ioctl command is copied again from the 'argp' pointer and saved
    to the kernel object 'tw_ioctl'. Then, various operations are performed
    on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer
    resides in userspace, a malicious userspace process can race to change
    the buffer size between the two copies. This way, the user can bypass
    the security check and inject invalid data buffer size. This can cause
    potential security issues in the following execution.
    
    This patch checks for capable(CAP_SYS_ADMIN) in twa_chrdev_open()t o
    avoid the above issues.
    Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
    Acked-by: default avatarAdam Radford <aradford@gmail.com>
    Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    092b0288
3w-9xxx.c 75.3 KB