Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 01 Aug 2015 18:16:39 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: oss-security <oss-security@...ts.openwall.com>
Cc: security@...ian.org
Subject: CVE request: Integer overflow in SCSI generic driver in Linux <4.1

This bug has been present for a long time, probably introduced in Linux
2.6.28 by:

commit 10db10d144c0248f285242f79daf6b9de6b00a62
Author: FUJITA Tomonori <fujita.tomonori@....ntt.co.jp>
Date:   Fri Aug 29 12:32:18 2008 +0200

    sg: convert the indirect IO path to use the block layer
    
    This patch converts the indirect IO path (including mmap IO and old
    struct sg_header) to use the block layer functions (blk_get_request,
    blk_execute_rq_nowait, blk_rq_map_user, etc) instead of
    scsi_execute_async().
    
    [Jens: fixed compile error with SCSI logging enabled]
    
    Signed-off-by: FUJITA Tomonori <fujita.tomonori@....ntt.co.jp>
    Signed-off-by: Douglas Gilbert <dougg@...que.net>
    Cc: Mike Christie <michaelc@...wisc.edu>
    Cc: James Bottomley <James.Bottomley@...senPartnership.com>
    Signed-off-by: Jens Axboe <jens.axboe@...cle.com>

It was fixed in Linux 4.1-rc1 by:

commit 451a2886b6bf90e2fb378f7c46c655450fb96e81
Author: Al Viro <viro@...iv.linux.org.uk>
Date:   Sat Mar 21 20:08:18 2015 -0400

    sg_start_req(): make sure that there's not too many elements in iovec
    
    unfortunately, allowing an arbitrary 16bit value means a possibility of
    overflow in the calculation of total number of pages in bio_map_user_iov() -
    we rely on there being no more than PAGE_SIZE members of sum in the
    first loop there.  If that sum wraps around, we end up allocating
    too small array of pointers to pages and it's easy to overflow it in
    the second loop.
    
    X-Coverup: TINC (and there's no lumber cartel either)
    Cc: stable@...r.kernel.org # way, way back
    Signed-off-by: Al Viro <viro@...iv.linux.org.uk>

commit fdc81f45e9f57858da6351836507fbcf1b7583ee
Author: Al Viro <viro@...iv.linux.org.uk>
Date:   Sat Mar 21 20:25:30 2015 -0400

    sg_start_req(): use import_iovec()
    
    Signed-off-by: Al Viro <viro@...iv.linux.org.uk>

This has not been included in any stable branches yet.

When backporting the fix to older kernel versions, the second commit
can't be used.  The first commit requires a naming fix-up:
s/MAX_UIOVEC/UIO_MAXIOV/.

Ben.

-- 
Ben Hutchings
One of the nice things about standards is that there are so many of them.


Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.