sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506)
This commit is contained in:
parent
771e5be22a
commit
bc42fd66b1
|
@ -1,3 +1,9 @@
|
|||
linux (4.16.12-2) UNRELEASED; urgency=medium
|
||||
|
||||
* sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Wed, 30 May 2018 08:41:30 +0200
|
||||
|
||||
linux (4.16.12-1) unstable; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
|
|
61
debian/patches/bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch
vendored
Normal file
61
debian/patches/bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch
vendored
Normal file
|
@ -0,0 +1,61 @@
|
|||
From: Jens Axboe <axboe@kernel.dk>
|
||||
Date: Mon, 21 May 2018 12:21:14 -0600
|
||||
Subject: sr: pass down correctly sized SCSI sense buffer
|
||||
Origin: https://git.kernel.org/linus/f7068114d45ec55996b9040e98111afa56e010fe
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11506
|
||||
|
||||
We're casting the CDROM layer request_sense to the SCSI sense
|
||||
buffer, but the former is 64 bytes and the latter is 96 bytes.
|
||||
As we generally allocate these on the stack, we end up blowing
|
||||
up the stack.
|
||||
|
||||
Fix this by wrapping the scsi_execute() call with a properly
|
||||
sized sense buffer, and copying back the bits for the CDROM
|
||||
layer.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Piotr Gabriel Kosinski <pg.kosinski@gmail.com>
|
||||
Reported-by: Daniel Shapira <daniel@twistlock.com>
|
||||
Tested-by: Kees Cook <keescook@chromium.org>
|
||||
Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
|
||||
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||
---
|
||||
drivers/scsi/sr_ioctl.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
|
||||
index 2a21f2d48592..35fab1e18adc 100644
|
||||
--- a/drivers/scsi/sr_ioctl.c
|
||||
+++ b/drivers/scsi/sr_ioctl.c
|
||||
@@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
|
||||
struct scsi_device *SDev;
|
||||
struct scsi_sense_hdr sshdr;
|
||||
int result, err = 0, retries = 0;
|
||||
+ unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL;
|
||||
|
||||
SDev = cd->device;
|
||||
|
||||
+ if (cgc->sense)
|
||||
+ senseptr = sense_buffer;
|
||||
+
|
||||
retry:
|
||||
if (!scsi_block_when_processing_errors(SDev)) {
|
||||
err = -ENODEV;
|
||||
@@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
|
||||
}
|
||||
|
||||
result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
|
||||
- cgc->buffer, cgc->buflen,
|
||||
- (unsigned char *)cgc->sense, &sshdr,
|
||||
+ cgc->buffer, cgc->buflen, senseptr, &sshdr,
|
||||
cgc->timeout, IOCTL_RETRIES, 0, 0, NULL);
|
||||
|
||||
+ if (cgc->sense)
|
||||
+ memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
|
||||
+
|
||||
/* Minimal error checking. Ignore cases we know about, and report the rest. */
|
||||
if (driver_byte(result) != 0) {
|
||||
switch (sshdr.sense_key) {
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -143,6 +143,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
|||
bugfix/all/xfs-enhance-dinode-verifier.patch
|
||||
bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
|
||||
bugfix/x86/kvm-vmx-expose-ssbd-properly-to-guests.patch
|
||||
bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue