diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2018-07-10 17:02:17 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-07-10 17:02:17 -0700 |
commit | f075dce66c6039bb97b762b592a6db6d79e4350a (patch) | |
tree | 521e7ab6bef51dac51260b58b36f5c00843be905 /drivers/scsi | |
parent | 1e09177acae32a61586af26d83ca5ef591cdcaf5 (diff) |
scsi sg: remove incorrect scsi command checking logic
The SCSI_IOCTL_SEND_COMMAND ioctl has interesting scsi command
"security" checking.
If the file was opened read-only (but only in that case), it will
fetch the first byte of the command from user space, and do
"sg_allow_access()" on it. That, in turn, will check that
"blk_verify_command()" is ok with that command byte.
If that passes, it will then do call "sg_scsi_ioctl()" to execute
the command.
This is entirely nonsensical for several reasons.
It's nonsensical simply because it's racy: after it copies the command
byte from user mode to check it, user mode could just change the byte
before it is actually submitted later by "sg_scsi_ioctl()".
But it is nonsensical also because "sg_scsi_ioctl()" itself already does
blk_verify_command() on the command properly after it has been copied
from user space.
So it is an incorrect implementation of a pointless check. Remove it.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/scsi')
-rw-r--r-- | drivers/scsi/sg.c | 9 |
1 files changed, 0 insertions, 9 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index cd2fdac000c9..4f3450793273 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1103,15 +1103,6 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) case SCSI_IOCTL_SEND_COMMAND: if (atomic_read(&sdp->detaching)) return -ENODEV; - if (read_only) { - unsigned char opcode = WRITE_6; - Scsi_Ioctl_Command __user *siocp = p; - - if (copy_from_user(&opcode, siocp->data, 1)) - return -EFAULT; - if (sg_allow_access(filp, &opcode)) - return -EPERM; - } return sg_scsi_ioctl(sdp->device->request_queue, NULL, filp->f_mode, p); case SG_SET_DEBUG: result = get_user(val, ip); |