[SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-14489

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-14489

Kleber Souza
Clean cherry-pick for Trusty and Zesty.

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14489.html

Xin Long (1):
  scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't
    parse nlmsg properly

 drivers/scsi/scsi_transport_iscsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][Zesty][PATCH 1/1] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly

Kleber Souza
From: Xin Long <[hidden email]>

ChunYu found a kernel crash by syzkaller:

[  651.617875] kasan: CONFIG_KASAN_INLINE enabled
[  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  651.618731] general protection fault: 0000 [#1] SMP KASAN
[  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
[  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
[  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
[...]
[  651.627260] Call Trace:
[  651.629156]  skb_release_all+0x4f/0x60
[  651.629450]  consume_skb+0x1a5/0x600
[  651.630705]  netlink_unicast+0x505/0x720
[  651.632345]  netlink_sendmsg+0xab2/0xe70
[  651.633704]  sock_sendmsg+0xcf/0x110
[  651.633942]  ___sys_sendmsg+0x833/0x980
[  651.637117]  __sys_sendmsg+0xf3/0x240
[  651.638820]  SyS_sendmsg+0x32/0x50
[  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2

It's caused by skb_shared_info at the end of sk_buff was overwritten by
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.

During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
new value to skb_shinfo(SKB)->nr_frags by ev->type.

This patch is to fix it by checking nlh->nlmsg_len properly there to
avoid over accessing sk_buff.

Reported-by: ChunYu Wang <[hidden email]>
Signed-off-by: Xin Long <[hidden email]>
Acked-by: Chris Leech <[hidden email]>
Signed-off-by: Martin K. Petersen <[hidden email]>

CVE-2017-14489
(cherry picked from commit c88f0e6b06f4092995688211a631bb436125d77b)
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 drivers/scsi/scsi_transport_iscsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
index 8934f19bce8e..0190aeff5f7f 100644
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
  uint32_t group;
 
  nlh = nlmsg_hdr(skb);
- if (nlh->nlmsg_len < sizeof(*nlh) ||
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
     skb->len < nlh->nlmsg_len) {
  break;
  }
--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][Zesty][PATCH 1/1] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly

Colin Ian King-2
On 07/12/17 14:23, Kleber Sacilotto de Souza wrote:

> From: Xin Long <[hidden email]>
>
> ChunYu found a kernel crash by syzkaller:
>
> [  651.617875] kasan: CONFIG_KASAN_INLINE enabled
> [  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
> [  651.618731] general protection fault: 0000 [#1] SMP KASAN
> [  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
> [  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
> [  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
> [  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
> [...]
> [  651.627260] Call Trace:
> [  651.629156]  skb_release_all+0x4f/0x60
> [  651.629450]  consume_skb+0x1a5/0x600
> [  651.630705]  netlink_unicast+0x505/0x720
> [  651.632345]  netlink_sendmsg+0xab2/0xe70
> [  651.633704]  sock_sendmsg+0xcf/0x110
> [  651.633942]  ___sys_sendmsg+0x833/0x980
> [  651.637117]  __sys_sendmsg+0xf3/0x240
> [  651.638820]  SyS_sendmsg+0x32/0x50
> [  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2
>
> It's caused by skb_shared_info at the end of sk_buff was overwritten by
> ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
>
> During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
> ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
> new value to skb_shinfo(SKB)->nr_frags by ev->type.
>
> This patch is to fix it by checking nlh->nlmsg_len properly there to
> avoid over accessing sk_buff.
>
> Reported-by: ChunYu Wang <[hidden email]>
> Signed-off-by: Xin Long <[hidden email]>
> Acked-by: Chris Leech <[hidden email]>
> Signed-off-by: Martin K. Petersen <[hidden email]>
>
> CVE-2017-14489
> (cherry picked from commit c88f0e6b06f4092995688211a631bb436125d77b)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
> ---
>  drivers/scsi/scsi_transport_iscsi.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
> index 8934f19bce8e..0190aeff5f7f 100644
> --- a/drivers/scsi/scsi_transport_iscsi.c
> +++ b/drivers/scsi/scsi_transport_iscsi.c
> @@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
>   uint32_t group;
>  
>   nlh = nlmsg_hdr(skb);
> - if (nlh->nlmsg_len < sizeof(*nlh) ||
> + if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
>      skb->len < nlh->nlmsg_len) {
>   break;
>   }
>
Clean upstream cherry pick, does what it says.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][Zesty][PATCH 1/1] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly

Po-Hsu Lin (Sam)
In reply to this post by Kleber Souza
Clean cherrypick for both T and Z.
Acked-by: Po-Hsu Lin <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU, Trusty, Zesty, 1/1] scsi: scsi_transport_iscsi: fix the issue that

Thadeu Lima de Souza Cascardo-3
In reply to this post by Kleber Souza
Applied to trusty and zesty master-next branches.

Thanks.
Cascardo.

Applied-to: trusty/master-next
Applied-to: zesty/master-next

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team