oss-sec mailing list archives
CVE request: Integer overflow in SCSI generic driver in Linux <4.1
From: Ben Hutchings <ben () decadent org uk>
Date: Sat, 01 Aug 2015 18:16:39 +0100
This bug has been present for a long time, probably introduced in Linux 2.6.28 by: commit 10db10d144c0248f285242f79daf6b9de6b00a62 Author: FUJITA Tomonori <fujita.tomonori () lab ntt co jp> Date: Fri Aug 29 12:32:18 2008 +0200 sg: convert the indirect IO path to use the block layer This patch converts the indirect IO path (including mmap IO and old struct sg_header) to use the block layer functions (blk_get_request, blk_execute_rq_nowait, blk_rq_map_user, etc) instead of scsi_execute_async(). [Jens: fixed compile error with SCSI logging enabled] Signed-off-by: FUJITA Tomonori <fujita.tomonori () lab ntt co jp> Signed-off-by: Douglas Gilbert <dougg () torque net> Cc: Mike Christie <michaelc () cs wisc edu> Cc: James Bottomley <James.Bottomley () HansenPartnership com> Signed-off-by: Jens Axboe <jens.axboe () oracle com> It was fixed in Linux 4.1-rc1 by: commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 Author: Al Viro <viro () zeniv linux org uk> Date: Sat Mar 21 20:08:18 2015 -0400 sg_start_req(): make sure that there's not too many elements in iovec unfortunately, allowing an arbitrary 16bit value means a possibility of overflow in the calculation of total number of pages in bio_map_user_iov() - we rely on there being no more than PAGE_SIZE members of sum in the first loop there. If that sum wraps around, we end up allocating too small array of pointers to pages and it's easy to overflow it in the second loop. X-Coverup: TINC (and there's no lumber cartel either) Cc: stable () vger kernel org # way, way back Signed-off-by: Al Viro <viro () zeniv linux org uk> commit fdc81f45e9f57858da6351836507fbcf1b7583ee Author: Al Viro <viro () zeniv linux org uk> Date: Sat Mar 21 20:25:30 2015 -0400 sg_start_req(): use import_iovec() Signed-off-by: Al Viro <viro () zeniv linux org uk> This has not been included in any stable branches yet. When backporting the fix to older kernel versions, the second commit can't be used. The first commit requires a naming fix-up: s/MAX_UIOVEC/UIO_MAXIOV/. Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE request: Integer overflow in SCSI generic driver in Linux <4.1 Ben Hutchings (Aug 01)