In __mptctl_ioctl() of file drivers/message/fusion/mptctl.c, there seems
to be a way to cause a confused deputy attack by racing condition in
userspace.
1. In the first userspace fetch, copy_from_user(&khdr, uhdr, sizeof(khdr),
a user process can put, say, 01, in uhdr->iocnum which will be fetche
> On Sep 20, 2017, at 11:26 PM, Al Viro wrote:
>
> On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote:
>> Since right after the user copy, we are going to
>> memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough?
>
> access_ok() is *NOT*
Since right after the user copy, we are going to
memset(&karg, 0, sizeof(karg)), the copy_from_user is redundant
Signed-off-by: Meng Xu
---
drivers/scsi/mpt3sas/mpt3sas_ctl.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
b/drivers/scsi/mpt
md.
The patch explicitly overrides user_srbcmd->count after the second
userspace fetch with the value fibsize from the first userspace fetch.
In this way, it is assured that the relation, user_srbcmd->count stores
the size of the user_srbcmd buffer, still holds after the second fetch.
Si
Since right after the user copy, we are going to
memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough?
Signed-off-by: Meng Xu
---
drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
b/dri
5 matches
Mail list logo
