sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506)
This commit is contained in:
parent
771e5be22a
commit
bc42fd66b1
|
@ -1,3 +1,9 @@
|
||||||
|
linux (4.16.12-2) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
|
* sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506)
|
||||||
|
|
||||||
|
-- Salvatore Bonaccorso <carnil@debian.org> Wed, 30 May 2018 08:41:30 +0200
|
||||||
|
|
||||||
linux (4.16.12-1) unstable; urgency=medium
|
linux (4.16.12-1) unstable; urgency=medium
|
||||||
|
|
||||||
* New upstream stable update:
|
* New upstream stable update:
|
||||||
|
|
61
debian/patches/bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch
vendored
Normal file
61
debian/patches/bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch
vendored
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
From: Jens Axboe <axboe@kernel.dk>
|
||||||
|
Date: Mon, 21 May 2018 12:21:14 -0600
|
||||||
|
Subject: sr: pass down correctly sized SCSI sense buffer
|
||||||
|
Origin: https://git.kernel.org/linus/f7068114d45ec55996b9040e98111afa56e010fe
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11506
|
||||||
|
|
||||||
|
We're casting the CDROM layer request_sense to the SCSI sense
|
||||||
|
buffer, but the former is 64 bytes and the latter is 96 bytes.
|
||||||
|
As we generally allocate these on the stack, we end up blowing
|
||||||
|
up the stack.
|
||||||
|
|
||||||
|
Fix this by wrapping the scsi_execute() call with a properly
|
||||||
|
sized sense buffer, and copying back the bits for the CDROM
|
||||||
|
layer.
|
||||||
|
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Reported-by: Piotr Gabriel Kosinski <pg.kosinski@gmail.com>
|
||||||
|
Reported-by: Daniel Shapira <daniel@twistlock.com>
|
||||||
|
Tested-by: Kees Cook <keescook@chromium.org>
|
||||||
|
Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
|
||||||
|
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||||
|
---
|
||||||
|
drivers/scsi/sr_ioctl.c | 10 ++++++++--
|
||||||
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
|
||||||
|
index 2a21f2d48592..35fab1e18adc 100644
|
||||||
|
--- a/drivers/scsi/sr_ioctl.c
|
||||||
|
+++ b/drivers/scsi/sr_ioctl.c
|
||||||
|
@@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
|
||||||
|
struct scsi_device *SDev;
|
||||||
|
struct scsi_sense_hdr sshdr;
|
||||||
|
int result, err = 0, retries = 0;
|
||||||
|
+ unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL;
|
||||||
|
|
||||||
|
SDev = cd->device;
|
||||||
|
|
||||||
|
+ if (cgc->sense)
|
||||||
|
+ senseptr = sense_buffer;
|
||||||
|
+
|
||||||
|
retry:
|
||||||
|
if (!scsi_block_when_processing_errors(SDev)) {
|
||||||
|
err = -ENODEV;
|
||||||
|
@@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
|
||||||
|
}
|
||||||
|
|
||||||
|
result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
|
||||||
|
- cgc->buffer, cgc->buflen,
|
||||||
|
- (unsigned char *)cgc->sense, &sshdr,
|
||||||
|
+ cgc->buffer, cgc->buflen, senseptr, &sshdr,
|
||||||
|
cgc->timeout, IOCTL_RETRIES, 0, 0, NULL);
|
||||||
|
|
||||||
|
+ if (cgc->sense)
|
||||||
|
+ memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
|
||||||
|
+
|
||||||
|
/* Minimal error checking. Ignore cases we know about, and report the rest. */
|
||||||
|
if (driver_byte(result) != 0) {
|
||||||
|
switch (sshdr.sense_key) {
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
|
@ -143,6 +143,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/xfs-enhance-dinode-verifier.patch
|
bugfix/all/xfs-enhance-dinode-verifier.patch
|
||||||
bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
|
bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
|
||||||
bugfix/x86/kvm-vmx-expose-ssbd-properly-to-guests.patch
|
bugfix/x86/kvm-vmx-expose-ssbd-properly-to-guests.patch
|
||||||
|
bugfix/all/sr-pass-down-correctly-sized-SCSI-sense-buffer.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue