Re: [PATCH] sg: Fix a double-fetch bug in drivers/scsi/sg.c

On Wed, Jun 05, 2019 at 01:07:25PM -0400, Douglas Gilbert wrote: > On 2019-06-05 2:00 a.m., Jiri Slaby wrote: > >On 23. 05. 19, 4:38, Gen Zhang wrote: > >>In sg_write(), the opcode of the command is fetched the first time from > >>the userspace by __get_user(). Then the whole command, the opcode >

Re: [PATCH] sg: Fix a double-fetch bug in drivers/scsi/sg.c

On 2019-06-05 2:00 a.m., Jiri Slaby wrote: On 23. 05. 19, 4:38, Gen Zhang wrote: In sg_write(), the opcode of the command is fetched the first time from the userspace by __get_user(). Then the whole command, the opcode included, is fetched again from userspace by __copy_from_user(). However, a m

Re: [PATCH] sg: Fix a double-fetch bug in drivers/scsi/sg.c

On 23. 05. 19, 4:38, Gen Zhang wrote: > In sg_write(), the opcode of the command is fetched the first time from > the userspace by __get_user(). Then the whole command, the opcode > included, is fetched again from userspace by __copy_from_user(). > However, a malicious user can change the opcode

[PATCH] sg: Fix a double-fetch bug in drivers/scsi/sg.c

In sg_write(), the opcode of the command is fetched the first time from the userspace by __get_user(). Then the whole command, the opcode included, is fetched again from userspace by __copy_from_user(). However, a malicious user can change the opcode between the two fetches. This can cause incon