debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506)

This commit is contained in:
Salvatore Bonaccorso 2018-05-30 08:39:10 +02:00
parent 771e5be22a
commit bc42fd66b1
3 changed files with 68 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
linux (4.16.12-2) UNRELEASED; urgency=medium
* sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506)
-- Salvatore Bonaccorso <carnil@debian.org> Wed, 30 May 2018 08:41:30 +0200
linux (4.16.12-1) unstable; urgency=medium
* New upstream stable update:

61
debian/patches/bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch vendored Normal file
View File

@ -0,0 +1,61 @@
From: Jens Axboe <axboe@kernel.dk>
Date: Mon, 21 May 2018 12:21:14 -0600
Subject: sr: pass down correctly sized SCSI sense buffer
Origin: https://git.kernel.org/linus/f7068114d45ec55996b9040e98111afa56e010fe
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11506
We're casting the CDROM layer request_sense to the SCSI sense
buffer, but the former is 64 bytes and the latter is 96 bytes.
As we generally allocate these on the stack, we end up blowing
up the stack.
Fix this by wrapping the scsi_execute() call with a properly
sized sense buffer, and copying back the bits for the CDROM
layer.
Cc: stable@vger.kernel.org
Reported-by: Piotr Gabriel Kosinski <pg.kosinski@gmail.com>
Reported-by: Daniel Shapira <daniel@twistlock.com>
Tested-by: Kees Cook <keescook@chromium.org>
Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
drivers/scsi/sr_ioctl.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
index 2a21f2d48592..35fab1e18adc 100644
--- a/drivers/scsi/sr_ioctl.c
+++ b/drivers/scsi/sr_ioctl.c
@@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
struct scsi_device *SDev;
struct scsi_sense_hdr sshdr;
int result, err = 0, retries = 0;
+ unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL;
SDev = cd->device;
+ if (cgc->sense)
+ senseptr = sense_buffer;
+
retry:
if (!scsi_block_when_processing_errors(SDev)) {
err = -ENODEV;
@@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
}
result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
- cgc->buffer, cgc->buflen,
- (unsigned char *)cgc->sense, &sshdr,
+ cgc->buffer, cgc->buflen, senseptr, &sshdr,
cgc->timeout, IOCTL_RETRIES, 0, 0, NULL);
+ if (cgc->sense)
+ memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
+
/* Minimal error checking. Ignore cases we know about, and report the rest. */
if (driver_byte(result) != 0) {
switch (sshdr.sense_key) {
--
2.11.0

1
debian/patches/series vendored
View File

@ -143,6 +143,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/xfs-enhance-dinode-verifier.patch
bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
bugfix/x86/kvm-vmx-expose-ssbd-properly-to-guests.patch
bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch