mptfusion: holding wrong mutex due to iocnum mismatch

In __mptctl_ioctl() of file drivers/message/fusion/mptctl.c, there seems to be a way to cause a confused deputy attack by racing condition in userspace. 1. In the first userspace fetch, copy_from_user(, uhdr, sizeof(khdr), a user process can put, say, 01, in uhdr->iocnum which will be fetched

Re: [PATCH] mpt3sas: downgrade full copy_from_user to access_ok check

> On Sep 20, 2017, at 11:26 PM, Al Viro <v...@zeniv.linux.org.uk> wrote: > > On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote: >> Since right after the user copy, we are going to >> memset(, 0, sizeof(karg)), I guess an access_ok chec

[PATCH] mpt3sas: remove redundant copy_from_user in _ctl_getiocinfo

Since right after the user copy, we are going to memset(, 0, sizeof(karg)), the copy_from_user is redundant Signed-off-by: Meng Xu <mengxu.gat...@gmail.com> --- drivers/scsi/mpt3sas/mpt3sas_ctl.c | 6 -- 1 file changed, 6 deletions(-) diff --git a/drivers/scsi/mpt3sas/mpt3sas_ct

[PATCH] aacraid: fix potential double-fetch issue

rrides user_srbcmd->count after the second userspace fetch with the value fibsize from the first userspace fetch. In this way, it is assured that the relation, user_srbcmd->count stores the size of the user_srbcmd buffer, still holds after the second fetch. Signed-off-by: Meng Xu <mengxu.g

[PATCH] mpt3sas: downgrade full copy_from_user to access_ok check

Since right after the user copy, we are going to memset(, 0, sizeof(karg)), I guess an access_ok check is enough? Signed-off-by: Meng Xu <mengxu.gat...@gmail.com> --- drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/m