[PATCH] scsi: fix a double-fetch bug in sg_write

From: Kangjie Lu
Date: Tue Dec 25 2018 - 15:25:46 EST

Next message: Kangjie Lu: "[PATCH] scsi: avoiding fetching signature from user space again after check"
Previous message: Jan Harkes: "Re: [PATCH] fs: coda: fix a double-fetch case in coda_psdev_write"
Next in thread: Douglas Gilbert: "Re: [PATCH] scsi: fix a double-fetch bug in sg_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"opcode" has been copied in from user space and checked. We should not
copy it in again, which may have been modified by malicous
multi-threading user programs through race conditions. The fix uses the
opcode fetched in the first copy.

Signed-off-by: Kangjie Lu <kjlu@xxxxxxx>
---
drivers/scsi/sg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 4dacbfffd113..41774e4f9508 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -686,7 +686,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
hp->flags = input_size; /* structure abuse ... */
hp->pack_id = old_hdr.pack_id;
hp->usr_ptr = NULL;
- if (__copy_from_user(cmnd, buf, cmd_size))
+ cmnd[0] = opcode;
+ if (__copy_from_user(cmnd + 1, buf + 1, cmd_size - 1))
return -EFAULT;
/*
* SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV,
--
2.17.2 (Apple Git-113)

Next message: Kangjie Lu: "[PATCH] scsi: avoiding fetching signature from user space again after check"
Previous message: Jan Harkes: "Re: [PATCH] fs: coda: fix a double-fetch case in coda_psdev_write"
Next in thread: Douglas Gilbert: "Re: [PATCH] scsi: fix a double-fetch bug in sg_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]