CVE-XXXX-XXXX potential memory corruption in vhost/scsi driver (rhbz 1189864 1192079)

2015-02-16 14:32:42 -05:00 · 2015-02-16 14:32:42 -05:00 · c438599162
commit c438599162
parent d2fb0bf021
2 changed files with 60 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -620,6 +620,9 @@ Patch26134: perf-tools-Define-_GNU_SOURCE-on-pthread_attr_setaff.patch
 #CVE-2015-1593 rhbz 1192519 1192520
 Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch
 #CVE-XXXX-XXXX rhbz 1189864 1192079
 Patch26136: vhost-scsi-potential-memory-corruption.patch
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
@ -1349,6 +1352,9 @@ ApplyPatch perf-tools-Define-_GNU_SOURCE-on-pthread_attr_setaff.patch
 #CVE-2015-1593 rhbz 1192519 1192520
 ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch
 #CVE-XXXX-XXXX rhbz 1189864 1192079
 ApplyPatch vhost-scsi-potential-memory-corruption.patch
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@ -2216,6 +2222,7 @@ fi
 #                                    ||     ||
 %changelog
 * Mon Feb 16 2015 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-XXXX-XXXX potential memory corruption in vhost/scsi driver (rhbz 1189864 1192079)
 - CVE-2015-1593 stack ASLR integer overflow (rhbz 1192519 1192520)
 * Mon Feb 16 2015 Peter Robinson <pbrobinson@fedoraproject.org>
--- a/vhost-scsi-potential-memory-corruption.patch
+++ b/vhost-scsi-potential-memory-corruption.patch
@ -0,0 +1,53 @@
 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Thu, 5 Feb 2015 10:37:33 +0300
 Subject: [PATCH] vhost/scsi: potential memory corruption
 This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
 to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.
 I looked at the context and it turns out that in
 vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
 the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
 anything higher than 255 then it is invalid.  I have made that the limit
 now.
 In vhost_scsi_send_evt() we mask away values higher than 255, but now
 that the limit has changed, we don't need the mask.
 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
 ---
 drivers/vhost/scsi.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
 index dc78d87e0fc2..d27cfb20776f 100644
 --- a/drivers/vhost/scsi.c
 +++ b/drivers/vhost/scsi.c
@@ -1253,7 +1253,7 @@ tcm_vhost_send_evt(struct vhost_scsi *vs,
 		 * lun[4-7] need to be zero according to virtio-scsi spec.
 		 */
 		evt->event.lun[0] = 0x01;
 -		evt->event.lun[1] = tpg->tport_tpgt & 0xFF;
 +		evt->event.lun[1] = tpg->tport_tpgt;
 		if (lun->unpacked_lun >= 256)
 			evt->event.lun[2] = lun->unpacked_lun >> 8 | 0x40 ;
 		evt->event.lun[3] = lun->unpacked_lun & 0xFF;
@@ -2124,12 +2124,12 @@ tcm_vhost_make_tpg(struct se_wwn *wwn,
 			struct tcm_vhost_tport, tport_wwn);
 	struct tcm_vhost_tpg *tpg;
 -	unsigned long tpgt;
 +	u16 tpgt;
 	int ret;
 	if (strstr(name, "tpgt_") != name)
 		return ERR_PTR(-EINVAL);
 -	if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
 +	if (kstrtou16(name + 5, 10, &tpgt) || tpgt >= VHOST_SCSI_MAX_TARGET)
 		return ERR_PTR(-EINVAL);
 	tpg = kzalloc(sizeof(struct tcm_vhost_tpg), GFP_KERNEL);
 -- 
 2.1.0