[PATCH] aacraid: prevent copy_from_user() BUG!

Mark Salyzyn <Mark_Salyzyn@xxxxxxxxxxx> · Wed, 28 May 2008 15:32:55 -0400

Seen:

	kernel BUG at arch/i386/lib/usercopy.c:872

under a 2.6.18-8.el5 kernel. Traced it to a garbage-in/garbage-out  
ioctl condition in the aacraid driver.

Adaptec's special ioctl scb passthrough needs to check the validity of  
the individual scatter gather count fields to the maximum the adapter  
supports. Doing so will have the side effect of preventing  
copy_from_user() from bugging out while populating the dma buffers.  
This is a hardening effort, issue was triggered by an errant version  
of the management tools and thus the BUG should not be seen in the  
field.

This attached patch is against current scsi-misc-2.6.

ObligatoryDisclaimer: Please accept my condolences regarding Outlook's  
handling of patch attachments (inline gets damaged, please use  
attachment).

Signed-off-by: Mark Salyzyn <aacraid@xxxxxxxxxxx>

 drivers/scsi/aacraid/commctrl.c |   32 ++++++++++++++++++++++++++++++ 
++
 1 file changed, 32 insertions(+)

diff -ru a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/ 
commctrl.c

--- a/drivers/scsi/aacraid/commctrl.c	2008-05-28 15:13:39.505105412  
-0400
+++ b/drivers/scsi/aacraid/commctrl.c	2008-05-28 15:16:53.619280840  
-0400
@@ -581,6 +581,14 @@
 			for (i = 0; i < upsg->count; i++) {
 				u64 addr;
 				void* p;
+				if (upsg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				/* Does this really need to be GFP_DMA? */
 				p = kmalloc(upsg->sg[i].count,GFP_KERNEL|__GFP_DMA);
 				if(!p) {
@@ -625,6 +633,14 @@
 			for (i = 0; i < usg->count; i++) {
 				u64 addr;
 				void* p;
+				if (usg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				/* Does this really need to be GFP_DMA? */
 				p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
 				if(!p) {
@@ -667,6 +683,14 @@
 			for (i = 0; i < upsg->count; i++) {
 				uintptr_t addr;
 				void* p;
+				if (usg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				/* Does this really need to be GFP_DMA? */
 				p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
 				if(!p) {
@@ -698,6 +722,14 @@
 			for (i = 0; i < upsg->count; i++) {
 				dma_addr_t addr;
 				void* p;
+				if (upsg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				p = kmalloc(upsg->sg[i].count, GFP_KERNEL);
 				if (!p) {
 					dprintk((KERN_DEBUG"aacraid: Could not allocate SG buffer -  
size = %d buffer number %d of %d\n",

Sincerely - Mark Salyzyn
Attachment:
aacraid_copy_from_user_BUG.patch

Description: Binary data





