diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2015-02-16 14:32:42 -0500 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2015-02-16 14:39:46 -0500 |
commit | c438599162b0da1365ac1ea1a03e16586fc47e77 (patch) | |
tree | 1c8ccd7f2af21ab39931079275ba5769d77d69a7 | |
parent | d2fb0bf0211cf45ca9ea59fc158e90ae3f45176a (diff) | |
download | kernel-c438599162b0da1365ac1ea1a03e16586fc47e77.tar.gz kernel-c438599162b0da1365ac1ea1a03e16586fc47e77.tar.xz kernel-c438599162b0da1365ac1ea1a03e16586fc47e77.zip |
CVE-XXXX-XXXX potential memory corruption in vhost/scsi driver (rhbz 1189864 1192079)
-rw-r--r-- | kernel.spec | 7 | ||||
-rw-r--r-- | vhost-scsi-potential-memory-corruption.patch | 53 |
2 files changed, 60 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 78e8c3b91..0907b479c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -620,6 +620,9 @@ Patch26134: perf-tools-Define-_GNU_SOURCE-on-pthread_attr_setaff.patch #CVE-2015-1593 rhbz 1192519 1192520 Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch +#CVE-XXXX-XXXX rhbz 1189864 1192079 +Patch26136: vhost-scsi-potential-memory-corruption.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1349,6 +1352,9 @@ ApplyPatch perf-tools-Define-_GNU_SOURCE-on-pthread_attr_setaff.patch #CVE-2015-1593 rhbz 1192519 1192520 ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch +#CVE-XXXX-XXXX rhbz 1189864 1192079 +ApplyPatch vhost-scsi-potential-memory-corruption.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2216,6 +2222,7 @@ fi # || || %changelog * Mon Feb 16 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-XXXX-XXXX potential memory corruption in vhost/scsi driver (rhbz 1189864 1192079) - CVE-2015-1593 stack ASLR integer overflow (rhbz 1192519 1192520) * Mon Feb 16 2015 Peter Robinson <pbrobinson@fedoraproject.org> diff --git a/vhost-scsi-potential-memory-corruption.patch b/vhost-scsi-potential-memory-corruption.patch new file mode 100644 index 000000000..08a75a5ff --- /dev/null +++ b/vhost-scsi-potential-memory-corruption.patch @@ -0,0 +1,53 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 5 Feb 2015 10:37:33 +0300 +Subject: [PATCH] vhost/scsi: potential memory corruption + +This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt" +to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16. + +I looked at the context and it turns out that in +vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into +the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so +anything higher than 255 then it is invalid. I have made that the limit +now. + +In vhost_scsi_send_evt() we mask away values higher than 255, but now +that the limit has changed, we don't need the mask. + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> +--- + drivers/vhost/scsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c +index dc78d87e0fc2..d27cfb20776f 100644 +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -1253,7 +1253,7 @@ tcm_vhost_send_evt(struct vhost_scsi *vs, + * lun[4-7] need to be zero according to virtio-scsi spec. + */ + evt->event.lun[0] = 0x01; +- evt->event.lun[1] = tpg->tport_tpgt & 0xFF; ++ evt->event.lun[1] = tpg->tport_tpgt; + if (lun->unpacked_lun >= 256) + evt->event.lun[2] = lun->unpacked_lun >> 8 | 0x40 ; + evt->event.lun[3] = lun->unpacked_lun & 0xFF; +@@ -2124,12 +2124,12 @@ tcm_vhost_make_tpg(struct se_wwn *wwn, + struct tcm_vhost_tport, tport_wwn); + + struct tcm_vhost_tpg *tpg; +- unsigned long tpgt; ++ u16 tpgt; + int ret; + + if (strstr(name, "tpgt_") != name) + return ERR_PTR(-EINVAL); +- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) ++ if (kstrtou16(name + 5, 10, &tpgt) || tpgt >= VHOST_SCSI_MAX_TARGET) + return ERR_PTR(-EINVAL); + + tpg = kzalloc(sizeof(struct tcm_vhost_tpg), GFP_KERNEL); +-- +2.1.0 + |