Dear maintainers,
hi, our team has found a missing check bug on Linux kernel v5.10.7
using static analysis.
Th function sg_ioctl_common() lacks a security check before calling
sg_scsi_ioctl().
Specifically, the checking example, scsi_ioctl_common() checks CAP_SYS_ADMIN
or CAP_SYS_RAWIO at line 6 before calling sg_scsi_ioctl() .
1.
2. static int scsi_ioctl_common(struct scsi_device *sdev, int cmd,
void __user *arg)
3. {
4. ...
5. case SCSI_IOCTL_SEND_COMMAND:
6. if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO))
7. return -EACCES;
8. return sg_scsi_ioctl(sdev->request_queue, NULL, 0, arg);
9. ...
10. }
In no-check function sg_ioctl_common(), sg_scsi_ioctl() is called at
line 9 without checking
CAP_SYS_ADMIN or CAP_SYS_RAWIO capability.
1.
2. static long sg_ioctl_common(struct file *filp, Sg_device *sdp, Sg_fd *sfp,
3. unsigned int cmd_in, void __user *p)
4. {
5. ...
6. case SCSI_IOCTL_SEND_COMMAND:
7. if (atomic_read(&sdp->detaching))
8. return -ENODEV;
9. return sg_scsi_ioctl(sdp->device->request_queue, NULL, filp->f_mode, p);
10. ...
11. }
sg_ioctl() calls above functions that firstly calls no-check function
sg_ioctl_common()
and then calls checking function scsi_ioctl() => scsi_ioctl_common().
However, the delayed check may cause a problem.
1. static long sg_ioctl(struct file *filp, unsigned int cmd_in,
unsigned long arg)
2. {
3. ...
4. ret = sg_ioctl_common(filp, sdp, sfp, cmd_in, p);
5. if (ret != -ENOIOCTLCMD)
6. return ret;
7. return scsi_ioctl(sdp->device, cmd_in, p);
8. }
