From bc42fd66b174ab1c72e116afae64693d81a6dba6 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 30 May 2018 08:39:10 +0200 Subject: [PATCH] sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506) --- debian/changelog | 6 ++ ...wn-correctly-sized-SCSI-sense-buffer.patch | 61 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 68 insertions(+) create mode 100644 debian/patches/bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch diff --git a/debian/changelog b/debian/changelog index 56863d3df..c41e6acfd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +linux (4.16.12-2) UNRELEASED; urgency=medium + + * sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506) + + -- Salvatore Bonaccorso Wed, 30 May 2018 08:41:30 +0200 + linux (4.16.12-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/patches/bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch b/debian/patches/bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch new file mode 100644 index 000000000..7078c34a3 --- /dev/null +++ b/debian/patches/bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch @@ -0,0 +1,61 @@ +From: Jens Axboe +Date: Mon, 21 May 2018 12:21:14 -0600 +Subject: sr: pass down correctly sized SCSI sense buffer +Origin: https://git.kernel.org/linus/f7068114d45ec55996b9040e98111afa56e010fe +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11506 + +We're casting the CDROM layer request_sense to the SCSI sense +buffer, but the former is 64 bytes and the latter is 96 bytes. +As we generally allocate these on the stack, we end up blowing +up the stack. + +Fix this by wrapping the scsi_execute() call with a properly +sized sense buffer, and copying back the bits for the CDROM +layer. + +Cc: stable@vger.kernel.org +Reported-by: Piotr Gabriel Kosinski +Reported-by: Daniel Shapira +Tested-by: Kees Cook +Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") +Signed-off-by: Jens Axboe +--- + drivers/scsi/sr_ioctl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c +index 2a21f2d48592..35fab1e18adc 100644 +--- a/drivers/scsi/sr_ioctl.c ++++ b/drivers/scsi/sr_ioctl.c +@@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc) + struct scsi_device *SDev; + struct scsi_sense_hdr sshdr; + int result, err = 0, retries = 0; ++ unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL; + + SDev = cd->device; + ++ if (cgc->sense) ++ senseptr = sense_buffer; ++ + retry: + if (!scsi_block_when_processing_errors(SDev)) { + err = -ENODEV; +@@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc) + } + + result = scsi_execute(SDev, cgc->cmd, cgc->data_direction, +- cgc->buffer, cgc->buflen, +- (unsigned char *)cgc->sense, &sshdr, ++ cgc->buffer, cgc->buflen, senseptr, &sshdr, + cgc->timeout, IOCTL_RETRIES, 0, 0, NULL); + ++ if (cgc->sense) ++ memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense)); ++ + /* Minimal error checking. Ignore cases we know about, and report the rest. */ + if (driver_byte(result) != 0) { + switch (sshdr.sense_key) { +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index cb1d40074..1f0807613 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -143,6 +143,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/xfs-enhance-dinode-verifier.patch bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch bugfix/x86/kvm-vmx-expose-ssbd-properly-to-guests.patch +bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch