linux/drivers/message/fusion
Dan Carpenter b307a5e974 scsi: mptfusion: Fix double fetch bug in ioctl
commit 28d76df18f upstream.

Tom Hatskevich reported that we look up "iocp" then, in the called
functions we do a second copy_from_user() and look it up again.
The problem that could cause is:

drivers/message/fusion/mptctl.c
   674          /* All of these commands require an interrupt or
   675           * are unknown/illegal.
   676           */
   677          if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0)
                                               ^^^^
We take this lock.

   678                  return ret;
   679
   680          if (cmd == MPTFWDOWNLOAD)
   681                  ret = mptctl_fw_download(arg);
                                                 ^^^
Then the user memory changes and we look up "iocp" again but a different
one so now we are holding the incorrect lock and have a race condition.

   682          else if (cmd == MPTCOMMAND)
   683                  ret = mptctl_mpt_command(arg);

The security impact of this bug is not as bad as it could have been
because these operations are all privileged and root already has
enormous destructive power.  But it's still worth fixing.

This patch passes the "iocp" pointer to the functions to avoid the
second lookup.  That deletes 100 lines of code from the driver so
it's a nice clean up as well.

Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam
Reported-by: Tom Hatskevich <tom2001tom.23@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-01-23 08:22:35 +01:00
..
lsi scsi: message: fusion: fix a few trivial spelling mistakes 2018-09-11 21:18:06 -04:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mptbase.c scsi: message: fusion: Use kmemdup instead of memcpy and kmalloc 2019-06-18 19:46:24 -04:00
mptbase.h
mptctl.c scsi: mptfusion: Fix double fetch bug in ioctl 2020-01-23 08:22:35 +01:00
mptctl.h
mptdebug.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mptfc.c scsi: flip the default on use_clustering 2018-12-18 23:13:12 -05:00
mptlan.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
mptlan.h scsi: mptlan: Remove linux/miscdevice.h from mptlan.h 2017-01-05 00:21:12 -05:00
mptsas.c scsi: mptfusion: fix indentation issues 2019-03-19 17:17:08 -04:00
mptsas.h
mptscsih.c scsi: mptscsih: Mark expected switch fall-throughs 2019-04-03 23:45:59 -04:00
mptscsih.h
mptspi.c scsi: mptfusion: remove set, but not used, variables 2019-03-19 17:19:36 -04:00