diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2019-06-05 07:34:29 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2019-06-05 07:34:29 -0500 |
commit | 3acf2d47cf16de69f112b6a192da6001e54417a4 (patch) | |
tree | d06b3d263754bdccd9145ec61b1aceb7b392769f | |
parent | f173b49d03a7ddf316e354a0d3c8c88fe78f8745 (diff) | |
download | kernel-3acf2d47cf16de69f112b6a192da6001e54417a4.tar.gz kernel-3acf2d47cf16de69f112b6a192da6001e54417a4.tar.xz kernel-3acf2d47cf16de69f112b6a192da6001e54417a4.zip |
Fix CVE-2019-12456 (rhbz 1717182 1717183)
-rw-r--r-- | kernel.spec | 6 | ||||
-rw-r--r-- | scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch | 43 |
2 files changed, 49 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 2fc0a772e..ba835280d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -613,6 +613,9 @@ Patch534: clk-sunxi-fix-a-missing-check-bug-in-sunxi_divs_clk_setup.patch # CVE-2019-12454 rhbz 1716996 1717003 Patch535: wcd9335-fix-a-incorrect-use-of-kstrndup.patch +# CVE-2019-12456 rhbz 1717182 1717183 +Patch536: scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch + # END OF PATCH DEFINITIONS %endif @@ -1851,6 +1854,9 @@ fi # # %changelog +* Wed Jun 05 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2019-12456 (rhbz 1717182 1717183) + * Tue Jun 04 2019 Jeremy Cline <jcline@redhat.com> - 5.1.7-300 - Linux v5.1.7 - Fix CVE-2019-12455 (rhbz 1716990 1717003) diff --git a/scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch b/scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch new file mode 100644 index 000000000..7e282fe11 --- /dev/null +++ b/scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch @@ -0,0 +1,43 @@ +From 86e5aca7fa2927060839f3e3b40c8bd65a7e8d1e Mon Sep 17 00:00:00 2001 +From: Gen Zhang <blackgod016574@gmail.com> +Date: Thu, 30 May 2019 09:10:30 +0800 +Subject: scsi: mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main() + +In _ctl_ioctl_main(), 'ioctl_header' is fetched the first time from +userspace. 'ioctl_header.ioc_number' is then checked. The legal result is +saved to 'ioc'. Then, in condition MPT3COMMAND, the whole struct is fetched +again from the userspace. Then _ctl_do_mpt_command() is called, 'ioc' and +'karg' as inputs. + +However, a malicious user can change the 'ioc_number' between the two +fetches, which will cause a potential security issues. Moreover, a +malicious user can provide a valid 'ioc_number' to pass the check in first +fetch, and then modify it in the second fetch. + +To fix this, we need to recheck the 'ioc_number' in the second fetch. + +Signed-off-by: Gen Zhang <blackgod016574@gmail.com> +Acked-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +--- + drivers/scsi/mpt3sas/mpt3sas_ctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +index b2bb47c14d35..5181c03e82a6 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +@@ -2319,6 +2319,10 @@ _ctl_ioctl_main(struct file *file, unsigned int cmd, void __user *arg, + break; + } + ++ if (karg.hdr.ioc_number != ioctl_header.ioc_number) { ++ ret = -EINVAL; ++ break; ++ } + if (_IOC_SIZE(cmd) == sizeof(struct mpt3_ioctl_command)) { + uarg = arg; + ret = _ctl_do_mpt_command(ioc, karg, &uarg->mf); +-- +cgit 1.2-0.3.lf.el7 + |