oss-sec mailing list archives

CVE request: Integer overflow in SCSI generic driver in Linux <4.1

From: Ben Hutchings <ben () decadent org uk>
Date: Sat, 01 Aug 2015 18:16:39 +0100

This bug has been present for a long time, probably introduced in Linux
2.6.28 by:

commit 10db10d144c0248f285242f79daf6b9de6b00a62
Author: FUJITA Tomonori <fujita.tomonori () lab ntt co jp>
Date:   Fri Aug 29 12:32:18 2008 +0200

    sg: convert the indirect IO path to use the block layer
    
    This patch converts the indirect IO path (including mmap IO and old
    struct sg_header) to use the block layer functions (blk_get_request,
    blk_execute_rq_nowait, blk_rq_map_user, etc) instead of
    scsi_execute_async().
    
    [Jens: fixed compile error with SCSI logging enabled]
    
    Signed-off-by: FUJITA Tomonori <fujita.tomonori () lab ntt co jp>
    Signed-off-by: Douglas Gilbert <dougg () torque net>
    Cc: Mike Christie <michaelc () cs wisc edu>
    Cc: James Bottomley <James.Bottomley () HansenPartnership com>
    Signed-off-by: Jens Axboe <jens.axboe () oracle com>

It was fixed in Linux 4.1-rc1 by:

commit 451a2886b6bf90e2fb378f7c46c655450fb96e81
Author: Al Viro <viro () zeniv linux org uk>
Date:   Sat Mar 21 20:08:18 2015 -0400

    sg_start_req(): make sure that there's not too many elements in iovec
    
    unfortunately, allowing an arbitrary 16bit value means a possibility of
    overflow in the calculation of total number of pages in bio_map_user_iov() -
    we rely on there being no more than PAGE_SIZE members of sum in the
    first loop there.  If that sum wraps around, we end up allocating
    too small array of pointers to pages and it's easy to overflow it in
    the second loop.
    
    X-Coverup: TINC (and there's no lumber cartel either)
    Cc: stable () vger kernel org # way, way back
    Signed-off-by: Al Viro <viro () zeniv linux org uk>

commit fdc81f45e9f57858da6351836507fbcf1b7583ee
Author: Al Viro <viro () zeniv linux org uk>
Date:   Sat Mar 21 20:25:30 2015 -0400

    sg_start_req(): use import_iovec()
    
    Signed-off-by: Al Viro <viro () zeniv linux org uk>

This has not been included in any stable branches yet.

When backporting the fix to older kernel versions, the second commit
can't be used.  The first commit requires a naming fix-up:
s/MAX_UIOVEC/UIO_MAXIOV/.

Ben.

-- 
Ben Hutchings
One of the nice things about standards is that there are so many of them.

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

CVE request: Integer overflow in SCSI generic driver in Linux <4.1 Ben Hutchings (Aug 01)
- Re: CVE request: Integer overflow in SCSI generic driver in Linux <4.1 - Linux kernel cve-assign (Aug 02)