Re: [PATCH 2/3] scsi: megaraid_sas: check user-provided offsets

From: Christoph Hellwig
Date: Sat Sep 12 2020 - 03:21:06 EST

Next message: Naresh Kamboju: "Re: [PATCH 5.8 00/16] 5.8.9-rc1 review"
Previous message: jun qian: "Re: [PATCH V6 1/1] Softirq:avoid large sched delay from the pending softirqs"
In reply to: Arnd Bergmann: "[PATCH 2/3] scsi: megaraid_sas: check user-provided offsets"
Next in thread: Arnd Bergmann: "Re: [PATCH 2/3] scsi: megaraid_sas: check user-provided offsets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Sep 08, 2020 at 11:36:22PM +0200, Arnd Bergmann wrote:
> It sounds unwise to let user space pass an unchecked 32-bit
> offset into a kernel structure in an ioctl. This is an unsigned
> variable, so checking the upper bound for the size of the structure
> it points into is sufficient to avoid data corruption, but as
> the pointer might also be unaligned, it has to be written carefully
> as well.
>
> While I stumbled over this problem by reading the code, I did not
> continue checking the function for further problems like it.

Oh, yikes!

>
> Cc: stable@xxxxxxxxxxxxxxx

What about a Fixes tag instead?

> if (ioc->sense_len) {
> + /* make sure the pointer is part of the frame */
> + if (ioc->sense_off > (sizeof(union megasas_frame) - sizeof(__le64))) {

No need for the inner braces and please avoid over 80 char lines.

Otherwise looks good:

Reviewed-by: Christoph Hellwig <hch@xxxxxx>

Next message: Naresh Kamboju: "Re: [PATCH 5.8 00/16] 5.8.9-rc1 review"
Previous message: jun qian: "Re: [PATCH V6 1/1] Softirq:avoid large sched delay from the pending softirqs"
In reply to: Arnd Bergmann: "[PATCH 2/3] scsi: megaraid_sas: check user-provided offsets"
Next in thread: Arnd Bergmann: "Re: [PATCH 2/3] scsi: megaraid_sas: check user-provided offsets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]