|
Lee Duncan |
180de3 |
From: Xin Long <lucien.xin@gmail.com>
|
|
Lee Duncan |
180de3 |
Date: Sun, 27 Aug 2017 20:25:26 +0800
|
|
Lee Duncan |
180de3 |
Subject: [PATCH] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx
|
|
Lee Duncan |
180de3 |
doesn't parse nlmsg properly
|
|
Lee Duncan |
180de3 |
Patch-mainline: Queued in subsystem maintainer repository
|
|
Lee Duncan |
180de3 |
References: bsc#1059051 CVE-2017-14489
|
|
Lee Duncan |
180de3 |
Git-repo: git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git branch 4.14/scsi-fixes
|
|
Lee Duncan |
180de3 |
Git-commit: c88f0e6b06f4092995688211a631bb436125d77b
|
|
Lee Duncan |
180de3 |
|
|
Lee Duncan |
180de3 |
ChunYu found a kernel crash by syzkaller:
|
|
Lee Duncan |
180de3 |
|
|
Lee Duncan |
180de3 |
[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
|
|
Lee Duncan |
180de3 |
[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
|
|
Lee Duncan |
180de3 |
[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
|
|
Lee Duncan |
180de3 |
[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
|
|
Lee Duncan |
180de3 |
[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
|
|
Lee Duncan |
180de3 |
[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
|
|
Lee Duncan |
180de3 |
[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
|
|
Lee Duncan |
180de3 |
[...]
|
|
Lee Duncan |
180de3 |
[ 651.627260] Call Trace:
|
|
Lee Duncan |
180de3 |
[ 651.629156] skb_release_all+0x4f/0x60
|
|
Lee Duncan |
180de3 |
[ 651.629450] consume_skb+0x1a5/0x600
|
|
Lee Duncan |
180de3 |
[ 651.630705] netlink_unicast+0x505/0x720
|
|
Lee Duncan |
180de3 |
[ 651.632345] netlink_sendmsg+0xab2/0xe70
|
|
Lee Duncan |
180de3 |
[ 651.633704] sock_sendmsg+0xcf/0x110
|
|
Lee Duncan |
180de3 |
[ 651.633942] ___sys_sendmsg+0x833/0x980
|
|
Lee Duncan |
180de3 |
[ 651.637117] __sys_sendmsg+0xf3/0x240
|
|
Lee Duncan |
180de3 |
[ 651.638820] SyS_sendmsg+0x32/0x50
|
|
Lee Duncan |
180de3 |
[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
|
|
Lee Duncan |
180de3 |
|
|
Lee Duncan |
180de3 |
It's caused by skb_shared_info at the end of sk_buff was overwritten by
|
|
Lee Duncan |
180de3 |
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
|
|
Lee Duncan |
180de3 |
|
|
Lee Duncan |
180de3 |
During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
|
|
Lee Duncan |
180de3 |
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
|
|
Lee Duncan |
180de3 |
new value to skb_shinfo(SKB)->nr_frags by ev->type.
|
|
Lee Duncan |
180de3 |
|
|
Lee Duncan |
180de3 |
This patch is to fix it by checking nlh->nlmsg_len properly there to
|
|
Lee Duncan |
180de3 |
avoid over accessing sk_buff.
|
|
Lee Duncan |
180de3 |
|
|
Lee Duncan |
180de3 |
Reported-by: ChunYu Wang <chunwang@redhat.com>
|
|
Lee Duncan |
180de3 |
Signed-off-by: Xin Long <lucien.xin@gmail.com>
|
|
Lee Duncan |
180de3 |
Acked-by: Chris Leech <cleech@redhat.com>
|
|
Lee Duncan |
180de3 |
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
|
Lee Duncan |
180de3 |
Acked-by: Lee Duncan <lduncan@suse.com>
|
|
Lee Duncan |
180de3 |
---
|
|
Lee Duncan |
180de3 |
drivers/scsi/scsi_transport_iscsi.c | 2 +-
|
|
Lee Duncan |
180de3 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
Lee Duncan |
180de3 |
|
|
Lee Duncan |
180de3 |
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
|
|
Lee Duncan |
180de3 |
index 8934f19bce8e..0190aeff5f7f 100644
|
|
Lee Duncan |
180de3 |
--- a/drivers/scsi/scsi_transport_iscsi.c
|
|
Lee Duncan |
180de3 |
+++ b/drivers/scsi/scsi_transport_iscsi.c
|
|
Lee Duncan |
180de3 |
@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
|
|
Lee Duncan |
180de3 |
uint32_t group;
|
|
Lee Duncan |
180de3 |
|
|
Lee Duncan |
180de3 |
nlh = nlmsg_hdr(skb);
|
|
Lee Duncan |
180de3 |
- if (nlh->nlmsg_len < sizeof(*nlh) ||
|
|
Lee Duncan |
180de3 |
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
|
|
Lee Duncan |
180de3 |
skb->len < nlh->nlmsg_len) {
|
|
Lee Duncan |
180de3 |
break;
|
|
Lee Duncan |
180de3 |
}
|
|
Lee Duncan |
180de3 |
--
|
|
Lee Duncan |
180de3 |
2.12.3
|
|
Lee Duncan |
180de3 |
|
|
Lee Duncan |
180de3 |
|