Date: Wed, 13 May 2015 11:16:45 -0400 (EDT) From: Wade Mealing <wmealing@...hat.com> To: OSS Security List <oss-security@...ts.openwall.com> Cc: cve-assign@...re.org Subject: CVE request for vhost/scsi possible memory corruption. Gday, I'd like to ask for a CVE number for this the issue fixed in , as per their description: -- vhost/scsi: potential memory corruption This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt" to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16. I looked at the context and it turns out that in vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into the vs_tpg array which has VHOST_SCSI_MAX_TARGET (256) elements so anything higher than 255 then it is invalid. I have made that the limit now. In vhost_scsi_send_evt() we mask away values higher than 255, but now that the limit has changed, we don't need the mask. -- The first check that slips past is here: -- drivers/vhost/scsi.c - vhost_scsi_make_tpg() if (vs->vs_tpg && vs->vs_tpg[tpg->tport_tpgt]) My theory is that the possible memory corruption happens later: -- drivers/vhost/scsi.c - vhost_scsi_make_tpg() // sets this null pointer, to "tpg" value. vs_tpg[tpg->tport_tpgt] = tpg; When vs_tpg[tpg->tport_tpgt] = 0 It appears that no Red Hat Enter Linux versions are affected as the config directive CONFIG_VHOST_SCSI is not enabled in Red Hat Products. Thanks Wade Mealing Red Hat Product Security 1] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=59c816c1f24df0204e01851431d3bab3eb76719c
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ