Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 May 2015 11:16:45 -0400 (EDT)
From: Wade Mealing <>
To: OSS Security List <>
Subject: CVE request for vhost/scsi possible memory corruption.


I'd like to ask for a CVE number for this the issue fixed in [1], as per their description:

-- vhost/scsi: potential memory corruption
This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.

I looked at the context and it turns out that in
vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
anything higher than 255 then it is invalid.  I have made that the limit

In vhost_scsi_send_evt() we mask away values higher than 255, but now
that the limit has changed, we don't need the mask.
The first check that slips past is here:

-- drivers/vhost/scsi.c - vhost_scsi_make_tpg()

 if (vs->vs_tpg && vs->vs_tpg[tpg->tport_tpgt]) 

My theory is that the possible memory corruption happens later:

-- drivers/vhost/scsi.c - vhost_scsi_make_tpg()

  // sets this null pointer, to "tpg" value.
  vs_tpg[tpg->tport_tpgt] = tpg;

When vs_tpg[tpg->tport_tpgt] = 0 

It appears that no Red Hat Enter Linux versions are affected as the config
directive CONFIG_VHOST_SCSI is not enabled in Red Hat Products.


Wade Mealing
Red Hat Product Security


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ