[SRU][Trusty][PATCH 0/1] Fix for CVE-2017-14991

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][PATCH 0/1] Fix for CVE-2017-14991

Kleber Souza
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14991.html

Description:
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before
4.13.4 allows local users to obtain sensitive information from
uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE
ioctl call for /dev/sg0.

Ubuntu-Description:
It was discovered that the generic SCSI driver in the Linux kernel did not
properly initialize data returned to user space in some situations. A local
attacker could use this to expose sensitive information (kernel memory).


A simple backport of the fix is needed for Trusty, which doesn't have
the sg table fill code on a separate function (introduced by
4759df905a47 - scsi: sg: factor out sg_fill_request_table()).

Hannes Reinecke (1):
  scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

 drivers/scsi/sg.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][PATCH 1/1] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

Kleber Souza
From: Hannes Reinecke <[hidden email]>

When calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is
returned; the remaining part will then contain stale kernel memory
information.  This patch zeroes out the entire table to avoid this
issue.

Signed-off-by: Hannes Reinecke <[hidden email]>
Reviewed-by: Bart Van Assche <[hidden email]>
Reviewed-by: Christoph Hellwig <[hidden email]>
Reviewed-by: Eric Dumazet <[hidden email]>
Signed-off-by: Martin K. Petersen <[hidden email]>

CVE-2017-14991
(backported from commit 3e0097499839e0fe3af380410eababe5a47c4cf9)
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 drivers/scsi/sg.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 47b8f7b8b7b4..1c3dd355b317 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1003,14 +1003,13 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
  sg_req_info_t *rinfo;
  unsigned int ms;
 
- rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
- GFP_KERNEL);
+ rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
+ GFP_KERNEL);
  if (!rinfo)
  return -ENOMEM;
  read_lock_irqsave(&sfp->rq_list_lock, iflags);
  for (srp = sfp->headrp, val = 0; val < SG_MAX_QUEUE;
      ++val, srp = srp ? srp->nextrp : srp) {
- memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
  if (srp) {
  rinfo[val].req_state = srp->done + 1;
  rinfo[val].problem =
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][PATCH 1/1] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

Colin King
On 11/07/18 16:45, Kleber Sacilotto de Souza wrote:

> From: Hannes Reinecke <[hidden email]>
>
> When calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is
> returned; the remaining part will then contain stale kernel memory
> information.  This patch zeroes out the entire table to avoid this
> issue.
>
> Signed-off-by: Hannes Reinecke <[hidden email]>
> Reviewed-by: Bart Van Assche <[hidden email]>
> Reviewed-by: Christoph Hellwig <[hidden email]>
> Reviewed-by: Eric Dumazet <[hidden email]>
> Signed-off-by: Martin K. Petersen <[hidden email]>
>
> CVE-2017-14991
> (backported from commit 3e0097499839e0fe3af380410eababe5a47c4cf9)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
> ---
>  drivers/scsi/sg.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index 47b8f7b8b7b4..1c3dd355b317 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -1003,14 +1003,13 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
>   sg_req_info_t *rinfo;
>   unsigned int ms;
>  
> - rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
> - GFP_KERNEL);
> + rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
> + GFP_KERNEL);
>   if (!rinfo)
>   return -ENOMEM;
>   read_lock_irqsave(&sfp->rq_list_lock, iflags);
>   for (srp = sfp->headrp, val = 0; val < SG_MAX_QUEUE;
>       ++val, srp = srp ? srp->nextrp : srp) {
> - memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
>   if (srp) {
>   rinfo[val].req_state = srp->done + 1;
>   rinfo[val].problem =
>
Looks sane.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][PATCH 1/1] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

Stefan Bader-2
In reply to this post by Kleber Souza
On 11.07.2018 17:45, Kleber Sacilotto de Souza wrote:

> From: Hannes Reinecke <[hidden email]>
>
> When calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is
> returned; the remaining part will then contain stale kernel memory
> information.  This patch zeroes out the entire table to avoid this
> issue.
>
> Signed-off-by: Hannes Reinecke <[hidden email]>
> Reviewed-by: Bart Van Assche <[hidden email]>
> Reviewed-by: Christoph Hellwig <[hidden email]>
> Reviewed-by: Eric Dumazet <[hidden email]>
> Signed-off-by: Martin K. Petersen <[hidden email]>
>
> CVE-2017-14991
> (backported from commit 3e0097499839e0fe3af380410eababe5a47c4cf9)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>

> ---
>  drivers/scsi/sg.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index 47b8f7b8b7b4..1c3dd355b317 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -1003,14 +1003,13 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
>   sg_req_info_t *rinfo;
>   unsigned int ms;
>  
> - rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
> - GFP_KERNEL);
> + rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
> + GFP_KERNEL);
>   if (!rinfo)
>   return -ENOMEM;
>   read_lock_irqsave(&sfp->rq_list_lock, iflags);
>   for (srp = sfp->headrp, val = 0; val < SG_MAX_QUEUE;
>       ++val, srp = srp ? srp->nextrp : srp) {
> - memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
>   if (srp) {
>   rinfo[val].req_state = srp->done + 1;
>   rinfo[val].problem =
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment