Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 21 May 2015 11:31:31 -0400 (EDT)
From: cve-assign@...re.org
To: wmealing@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for vhost/scsi possible memory corruption.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=59c816c1f24df0204e01851431d3bab3eb76719c
> 
> -- vhost/scsi: potential memory corruption
> This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
> to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.
> 
> I looked at the context and it turns out that in
> vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
> the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
> anything higher than 255 then it is invalid.  I have made that the limit
> now.
> 
> In vhost_scsi_send_evt() we mask away values higher than 255, but now
> that the limit has changed, we don't need the mask.
> --
> The first check that slips past is here:
> 
> -- drivers/vhost/scsi.c - vhost_scsi_make_tpg()
> 
>  if (vs->vs_tpg && vs->vs_tpg[tpg->tport_tpgt])
> 
> My theory is that the possible memory corruption happens later:
> 
> -- drivers/vhost/scsi.c - vhost_scsi_make_tpg()
> 
>   // sets this null pointer, to "tpg" value.
>   vs_tpg[tpg->tport_tpgt] = tpg;
> 
> When vs_tpg[tpg->tport_tpgt] = 0

Nobody else has offered an alternative theory or shown that it is
unexploitable, so probably a CVE ID is reasonable. Use CVE-2015-4036.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVXfnpAAoJEKllVAevmvmsJSkH+wQyE2BCazl50a+4lscyN/S/
mLdpNddqLuaCPEWOwFcp8UX2M/d5Uyj4zl42bsfFOy0HA6zBmUAzjeg9Ea3b8gQp
ix4guXREeWkmaw+IT5uyG8dCSujMSTzvdDKvXoCh2jcyvdSXXb4xcHIlsmppgn8M
8hVRXoAuEt8yrbtjzXA99pB6gYJeKTOsZFPx0Fwy2aeCO/tCVUoZF+KlUGxokvWL
wRhl9JBdKxmqzMgZcuDUdgZ9s9TGpFIChVOKvDHdw52pL8eXMEqzD1JV2NbQGG3C
Xa/LmM2wCE/eqnYT7QSlzEjh2e1titJkNUc+wVNj4Refj/k1HXCCQdVZNOWnbh8=
=voYF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ