[PATCH] sg: fix a double-fetch bug in sg_write()
From: Gen Zhang
Date: Thu May 30 2019 - 21:31:01 EST
In sg_write(), the opcode of the command is fetched the first time from
the userspace by __get_user(). Then the whole command, the opcode
included, is fetched again from userspace by __copy_from_user().
However, a malicious user can change the opcode between the two fetches.
This can cause inconsistent data and potential errors as cmnd is used in
the following codes.
Thus we should check opcode between the two fetches to prevent this.
Signed-off-by: Gen Zhang <blackgod016574@xxxxxxxxx>
---
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index d3f1531..a2971b8 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -694,6 +694,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
hp->flags = input_size; /* structure abuse ... */
hp->pack_id = old_hdr.pack_id;
hp->usr_ptr = NULL;
+ if (opcode != cmnd[0])
+ return -EINVAL;
if (__copy_from_user(cmnd, buf, cmd_size))
return -EFAULT;
/*
---