[kernel/f21] CVE-XXXX-XXXX potential memory corruption in vhost/scsi driver (rhbz 1189864 1192079)
Josh Boyer
jwboyer at fedoraproject.org
Mon Feb 16 19:41:12 UTC 2015
commit 6e84c26d4154a85c4939eb735b8e7ec9a6c9cfab
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Feb 16 14:32:42 2015 -0500
CVE-XXXX-XXXX potential memory corruption in vhost/scsi driver (rhbz 1189864 1192079)
kernel.spec | 7 +++
vhost-scsi-potential-memory-corruption.patch | 53 ++++++++++++++++++++++++++
2 files changed, 60 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 2ff03fd..c18acd2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -644,6 +644,9 @@ Patch30004: acpi-video-add-disable_native_backlight_quirk_for_samsung_510r.patch
#CVE-2015-1593 rhbz 1192519 1192520
Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch
+#CVE-XXXX-XXXX rhbz 1189864 1192079
+Patch26136: vhost-scsi-potential-memory-corruption.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1393,6 +1396,9 @@ ApplyPatch acpi-video-add-disable_native_backlight_quirk_for_samsung_510r.patch
#CVE-2015-1593 rhbz 1192519 1192520
ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch
+#CVE-XXXX-XXXX rhbz 1189864 1192079
+ApplyPatch vhost-scsi-potential-memory-corruption.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2264,6 +2270,7 @@ fi
# || ||
%changelog
* Mon Feb 16 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-XXXX-XXXX potential memory corruption in vhost/scsi driver (rhbz 1189864 1192079)
- CVE-2015-1593 stack ASLR integer overflow (rhbz 1192519 1192520)
* Wed Feb 11 2015 Justin M. Forbes <jforbes at fedoraproject.org> - 3.18.7-200
diff --git a/vhost-scsi-potential-memory-corruption.patch b/vhost-scsi-potential-memory-corruption.patch
new file mode 100644
index 0000000..8f61d92
--- /dev/null
+++ b/vhost-scsi-potential-memory-corruption.patch
@@ -0,0 +1,53 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Thu, 5 Feb 2015 10:37:33 +0300
+Subject: [PATCH] vhost/scsi: potential memory corruption
+
+This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
+to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.
+
+I looked at the context and it turns out that in
+vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
+the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
+anything higher than 255 then it is invalid. I have made that the limit
+now.
+
+In vhost_scsi_send_evt() we mask away values higher than 255, but now
+that the limit has changed, we don't need the mask.
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
+---
+ drivers/vhost/scsi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
+index cb84f69f76ad..28cf2510d33b 100644
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -1251,7 +1251,7 @@ tcm_vhost_send_evt(struct vhost_scsi *vs,
+ * lun[4-7] need to be zero according to virtio-scsi spec.
+ */
+ evt->event.lun[0] = 0x01;
+- evt->event.lun[1] = tpg->tport_tpgt & 0xFF;
++ evt->event.lun[1] = tpg->tport_tpgt;
+ if (lun->unpacked_lun >= 256)
+ evt->event.lun[2] = lun->unpacked_lun >> 8 | 0x40 ;
+ evt->event.lun[3] = lun->unpacked_lun & 0xFF;
+@@ -2122,12 +2122,12 @@ tcm_vhost_make_tpg(struct se_wwn *wwn,
+ struct tcm_vhost_tport, tport_wwn);
+
+ struct tcm_vhost_tpg *tpg;
+- unsigned long tpgt;
++ u16 tpgt;
+ int ret;
+
+ if (strstr(name, "tpgt_") != name)
+ return ERR_PTR(-EINVAL);
+- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
++ if (kstrtou16(name + 5, 10, &tpgt) || tpgt > VHOST_SCSI_MAX_TARGET)
+ return ERR_PTR(-EINVAL);
+
+ tpg = kzalloc(sizeof(struct tcm_vhost_tpg), GFP_KERNEL);
+--
+2.1.0
+
More information about the scm-commits
mailing list