[v3.1] kernel: Integer overflow in SCSI generic driver (CVE-2015-5707)
Integer overflow in SCSI generic driver in Linux <4.1
This bug has been present for a long time, probably introduced in
Linux
2.6.28 by:
commit 10db10d144c0248f285242f79daf6b9de6b00a62
Author: FUJITA Tomonori <fujita.tomonori@….ntt.co.jp>
Date: Fri Aug 29 12:32:18 2008 +0200
sg: convert the indirect IO path to use the block layer
This patch converts the indirect IO path (including mmap IO and old
struct sg_header) to use the block layer functions
(blk_get_request,
blk_execute_rq_nowait, blk_rq_map_user, etc) instead of
scsi_execute_async().
[Jens: fixed compile error with SCSI logging enabled]
Signed-off-by: FUJITA Tomonori <fujita.tomonori....ntt.co.jp> Signed-off-by: Douglas Gilbert <dougg
…que.net>
Cc: Mike Christie <michaelc...wisc.edu> Cc: James Bottomley <James.Bottomley
…senPartnership.com>
Signed-off-by: Jens Axboe <jens.axboe@…cle.com>
It was fixed in Linux 4.1-rc1 by:
commit 451a2886b6bf90e2fb378f7c46c655450fb96e81
Author: Al Viro <viro@…iv.linux.org.uk>
Date: Sat Mar 21 20:08:18 2015 –0400
sg_start_req(): make sure that there’s not too many elements in iovec
unfortunately, allowing an arbitrary 16bit value means a possibility
of
overflow in the calculation of total number of pages in
bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there. If that sum wraps around, we end up allocating
too small array of pointers to pages and it’s easy to overflow it in
the second loop.
X-Coverup: TINC (and there’s no lumber cartel either)
Cc: stable...r.kernel.org # way, way back Signed-off-by: Al Viro <viro
…iv.linux.org.uk>
commit fdc81f45e9f57858da6351836507fbcf1b7583ee
Author: Al Viro <viro@…iv.linux.org.uk>
Date: Sat Mar 21 20:25:30 2015 –0400
sg_start_req(): use import_iovec()
Signed-off-by: Al Viro <viro@…iv.linux.org.uk>
This has not been included in any stable branches yet.
When backporting the fix to older kernel versions, the second commit
can’t be used. The first commit requires a naming fix-up:
s/MAX_UIOVEC/UIO_MAXIOV/.
Reference:
http://www.openwall.com/lists/oss-security/2015/08/01/6
http://seclists.org/oss-sec/2015/q3/278
(from redmine: issue id 4586, created on 2015-08-26, closed on 2017-09-05)
- Relations:
- parent #4583