kernel / kernel-source

Clone
Source Code
GIT

Blame patches.drivers/scsi-scsi_transport_iscsi-fix-the-issue-that.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   6f01e8cfb4a016c4c2f3182bf84155a030cbcadf
  2.   patches.drivers
  3.   scsi-scsi_transport_iscsi-fix-the-issue-that.patch
Blob History Raw
Lee Duncan 180de3 
From: Xin Long <lucien.xin@gmail.com>
Lee Duncan 180de3 
Date: Sun, 27 Aug 2017 20:25:26 +0800
Lee Duncan 180de3 
Subject: [PATCH] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx
Lee Duncan 180de3 
	doesn't parse nlmsg properly
Lee Duncan 180de3 
Patch-mainline: Queued in subsystem maintainer repository
Lee Duncan 180de3 
References: bsc#1059051 CVE-2017-14489
Lee Duncan 180de3 
Git-repo: git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git branch 4.14/scsi-fixes
Lee Duncan 180de3 
Git-commit: c88f0e6b06f4092995688211a631bb436125d77b
Lee Duncan 180de3
Lee Duncan 180de3 
ChunYu found a kernel crash by syzkaller:
Lee Duncan 180de3
Lee Duncan 180de3 
[  651.617875] kasan: CONFIG_KASAN_INLINE enabled
Lee Duncan 180de3 
[  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
Lee Duncan 180de3 
[  651.618731] general protection fault: 0000 [#1] SMP KASAN
Lee Duncan 180de3 
[  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
Lee Duncan 180de3 
[  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Lee Duncan 180de3 
[  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
Lee Duncan 180de3 
[  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
Lee Duncan 180de3 
[...]
Lee Duncan 180de3 
[  651.627260] Call Trace:
Lee Duncan 180de3 
[  651.629156]  skb_release_all+0x4f/0x60
Lee Duncan 180de3 
[  651.629450]  consume_skb+0x1a5/0x600
Lee Duncan 180de3 
[  651.630705]  netlink_unicast+0x505/0x720
Lee Duncan 180de3 
[  651.632345]  netlink_sendmsg+0xab2/0xe70
Lee Duncan 180de3 
[  651.633704]  sock_sendmsg+0xcf/0x110
Lee Duncan 180de3 
[  651.633942]  ___sys_sendmsg+0x833/0x980
Lee Duncan 180de3 
[  651.637117]  __sys_sendmsg+0xf3/0x240
Lee Duncan 180de3 
[  651.638820]  SyS_sendmsg+0x32/0x50
Lee Duncan 180de3 
[  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2
Lee Duncan 180de3
Lee Duncan 180de3 
It's caused by skb_shared_info at the end of sk_buff was overwritten by
Lee Duncan 180de3 
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
Lee Duncan 180de3
Lee Duncan 180de3 
During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
Lee Duncan 180de3 
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
Lee Duncan 180de3 
new value to skb_shinfo(SKB)->nr_frags by ev->type.
Lee Duncan 180de3
Lee Duncan 180de3 
This patch is to fix it by checking nlh->nlmsg_len properly there to
Lee Duncan 180de3 
avoid over accessing sk_buff.
Lee Duncan 180de3
Lee Duncan 180de3 
Reported-by: ChunYu Wang <chunwang@redhat.com>
Lee Duncan 180de3 
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Lee Duncan 180de3 
Acked-by: Chris Leech <cleech@redhat.com>
Lee Duncan 180de3 
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Lee Duncan 180de3 
Acked-by: Lee Duncan <lduncan@suse.com>
Lee Duncan 180de3 
---
Lee Duncan 180de3 
 drivers/scsi/scsi_transport_iscsi.c | 2 +-
Lee Duncan 180de3 
 1 file changed, 1 insertion(+), 1 deletion(-)
Lee Duncan 180de3
Lee Duncan 180de3 
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
Lee Duncan 180de3 
index 8934f19bce8e..0190aeff5f7f 100644
Lee Duncan 180de3 
--- a/drivers/scsi/scsi_transport_iscsi.c
Lee Duncan 180de3 
+++ b/drivers/scsi/scsi_transport_iscsi.c
Lee Duncan 180de3 
@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
Lee Duncan 180de3 
 		uint32_t group;
Lee Duncan 180de3
Lee Duncan 180de3 
 		nlh = nlmsg_hdr(skb);
Lee Duncan 180de3 
-		if (nlh->nlmsg_len < sizeof(*nlh) ||
Lee Duncan 180de3 
+		if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
Lee Duncan 180de3 
 		    skb->len < nlh->nlmsg_len) {
Lee Duncan 180de3 
 			break;
Lee Duncan 180de3 
 		}
Lee Duncan 180de3 
--
Lee Duncan 180de3 
2.12.3
Lee Duncan 180de3
Lee Duncan 180de3
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.