Re: [PATCH] fix vulnerability in file operations of scsi target interface

Hillf Danton <dhillf@xxxxxxxxx> · Thu, 11 Nov 2010 21:45:50 +0800



On Wed, Nov 10, 2010 at 2:15 AM, Joe Eykholt <jeykholt@xxxxxxxxx> wrote:
> On 11/9/10 6:01 AM, Hillf Danton wrote:
>> Ring buffers are setup for exchanging data between K and U spaces, but
>> they could not survive multiple open operations.
>>
>> The registered misc interface is monitored and prevented from multiple
>> opens for fixing the vulnerability.
>>
>> A typo, -BUSY, is also cleaned up.
>>
>> btw, the ring buffers could be setup in a per file manner?
>>
>> Signed-off-by: Hillf Danton <dhillf@xxxxxxxxx>
>> ---
>>
>> --- a/drivers/scsi/scsi_tgt_if.c Â Â Â2010-09-13 07:07:38.000000000 +0800
>> +++ b/drivers/scsi/scsi_tgt_if.c Â Â Â2010-11-09 21:42:48.000000000 +0800
>> @@ -85,7 +85,7 @@ static int tgt_uspace_send_event(u32 typ
>> Â Â Â if (!ev->hdr.status)
>> Â Â Â Â Â Â Â tgt_ring_idx_inc(ring);
>> Â Â Â else
>> - Â Â Â Â Â Â err = -BUSY;
>> + Â Â Â Â Â Â err = -EBUSY;
>>
>> Â Â Â spin_unlock_irqrestore(&ring->tr_lock, flags);
>>
>> @@ -319,20 +319,33 @@ static int tgt_mmap(struct file *filp, s
>> Â Â Â return err;
>> Â}
>>
>> +static unsigned long tgt_open_cnt = 0;
>> +
>> Âstatic int tgt_open(struct inode *inode, struct file *file)
>> Â{
>> + Â Â if (tgt_open_cnt)
>> + Â Â Â Â Â Â return -EBUSY;
>> + Â Â tgt_open_cnt++;
>
> Since there's no locking, there's still a tiny hole where
> simultaneous opens could succeed. ÂConsider using an atomic.
> Good find and good fix otherwise.
>
Would you please, Joe, show the atomic version?
thanks//Hillf

>> +
>> Â Â Â tx_ring.tr_idx = rx_ring.tr_idx = 0;
>>
>> Â Â Â cycle_kernel_lock();
>> Â Â Â return 0;
>> Â}
>>
>> +static int tgt_release(struct inode *inode, struct file *file)
>> +{
>> + Â Â tgt_open_cnt--;
>> + Â Â return 0;
>> +}
>> +
>> Âstatic const struct file_operations tgt_fops = {
>> Â Â Â .owner Â Â Â Â Â= THIS_MODULE,
>> Â Â Â .open Â Â Â Â Â = tgt_open,
>> Â Â Â .poll Â Â Â Â Â = tgt_poll,
>> Â Â Â .write Â Â Â Â Â= tgt_write,
>> Â Â Â .mmap Â Â Â Â Â = tgt_mmap,
>> + Â Â .release Â Â Â Â= tgt_release,
>> Â};
>>
>> Âstatic struct miscdevice tgt_miscdev = {
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at Âhttp://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html