Wenwen, > In megasas_mgmt_compat_ioctl_fw(), to handle the structure > compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket > 'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle the > packet. Since the two data structures have different fields, the data is > copied from 'cioc' to 'ioc' field by field. In the copy process, > 'sense_ptr' is prepared if the field 'sense_len' is not null, because it > will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the > user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and saved > to kernel-space variables 'local_sense_off' and 'user_sense_off' > respectively. Given that 'ioc->sense_off' is also copied from > 'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the > same value. However, 'cioc' is in the user space and a malicious user can > race to change the value of 'cioc->sense_off' after it is copied to > 'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing so, > the attacker can inject different values into 'local_sense_off' and > 'user_sense_off'. This can cause undefined behavior in the following > execution, because the two variables are supposed to be same. > > This patch enforces a check on the two kernel variables 'local_sense_off' > and 'user_sense_off' to make sure they are the same after the copy. In case > they are not, an error code EINVAL will be returned. Broadcom folks: Please review! -- Martin K. Petersen Oracle Linux Engineering
