Date: Sat, 01 Aug 2015 18:16:39 +0100 From: Ben Hutchings <ben@...adent.org.uk> To: oss-security <oss-security@...ts.openwall.com> Cc: security@...ian.org Subject: CVE request: Integer overflow in SCSI generic driver in Linux <4.1 This bug has been present for a long time, probably introduced in Linux 2.6.28 by: commit 10db10d144c0248f285242f79daf6b9de6b00a62 Author: FUJITA Tomonori <fujita.tomonori@....ntt.co.jp> Date: Fri Aug 29 12:32:18 2008 +0200 sg: convert the indirect IO path to use the block layer This patch converts the indirect IO path (including mmap IO and old struct sg_header) to use the block layer functions (blk_get_request, blk_execute_rq_nowait, blk_rq_map_user, etc) instead of scsi_execute_async(). [Jens: fixed compile error with SCSI logging enabled] Signed-off-by: FUJITA Tomonori <fujita.tomonori@....ntt.co.jp> Signed-off-by: Douglas Gilbert <dougg@...que.net> Cc: Mike Christie <michaelc@...wisc.edu> Cc: James Bottomley <James.Bottomley@...senPartnership.com> Signed-off-by: Jens Axboe <jens.axboe@...cle.com> It was fixed in Linux 4.1-rc1 by: commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 Author: Al Viro <viro@...iv.linux.org.uk> Date: Sat Mar 21 20:08:18 2015 -0400 sg_start_req(): make sure that there's not too many elements in iovec unfortunately, allowing an arbitrary 16bit value means a possibility of overflow in the calculation of total number of pages in bio_map_user_iov() - we rely on there being no more than PAGE_SIZE members of sum in the first loop there. If that sum wraps around, we end up allocating too small array of pointers to pages and it's easy to overflow it in the second loop. X-Coverup: TINC (and there's no lumber cartel either) Cc: stable@...r.kernel.org # way, way back Signed-off-by: Al Viro <viro@...iv.linux.org.uk> commit fdc81f45e9f57858da6351836507fbcf1b7583ee Author: Al Viro <viro@...iv.linux.org.uk> Date: Sat Mar 21 20:25:30 2015 -0400 sg_start_req(): use import_iovec() Signed-off-by: Al Viro <viro@...iv.linux.org.uk> This has not been included in any stable branches yet. When backporting the fix to older kernel versions, the second commit can't be used. The first commit requires a naming fix-up: s/MAX_UIOVEC/UIO_MAXIOV/. Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them. [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ