[patch] vhost/scsi: potential memory corruption

All of lore.kernel.org
 help / color / mirror / Atom feed

* [patch] vhost/scsi: potential memory corruption
@ 2015-02-05  7:37 ` Dan Carpenter
  0 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2015-02-05  7:37 UTC (permalink / raw)
  To: Michael S. Tsirkin, Nicholas Bellinger
  Cc: kernel-janitors, linux-scsi, kvm, virtualization

This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.

I looked at the context and it turns out that in
vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
anything higher than 255 then it is invalid.  I have made that the limit
now.

In vhost_scsi_send_evt() we mask away values higher than 255, but now
that the limit has changed, we don't need the mask.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Compile tested only.

diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
index 3e265ef..4339222 100644
--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -1278,7 +1278,7 @@ vhost_scsi_send_evt(struct vhost_scsi *vs,
 		 * lun[4-7] need to be zero according to virtio-scsi spec.
 		 */
 		evt->event.lun[0] = 0x01;
-		evt->event.lun[1] = tpg->tport_tpgt & 0xFF;
+		evt->event.lun[1] = tpg->tport_tpgt;
 		if (lun->unpacked_lun >= 256)
 			evt->event.lun[2] = lun->unpacked_lun >> 8 | 0x40 ;
 		evt->event.lun[3] = lun->unpacked_lun & 0xFF;
@@ -2149,12 +2149,12 @@ vhost_scsi_make_tpg(struct se_wwn *wwn,
 			struct vhost_scsi_tport, tport_wwn);
 
 	struct vhost_scsi_tpg *tpg;
-	unsigned long tpgt;
+	u16 tpgt;
 	int ret;
 
 	if (strstr(name, "tpgt_") != name)
 		return ERR_PTR(-EINVAL);
-	if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
+	if (kstrtou16(name + 5, 10, &tpgt) || tpgt >= VHOST_SCSI_MAX_TARGET)
 		return ERR_PTR(-EINVAL);
 
 	tpg = kzalloc(sizeof(struct vhost_scsi_tpg), GFP_KERNEL);

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [patch] vhost/scsi: potential memory corruption
@ 2015-02-05  7:37 ` Dan Carpenter
  0 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2015-02-05  7:37 UTC (permalink / raw)
  To: Michael S. Tsirkin, Nicholas Bellinger
  Cc: kernel-janitors, linux-scsi, kvm, virtualization

This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.

I looked at the context and it turns out that in
vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
anything higher than 255 then it is invalid.  I have made that the limit
now.

In vhost_scsi_send_evt() we mask away values higher than 255, but now
that the limit has changed, we don't need the mask.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Compile tested only.

diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
index 3e265ef..4339222 100644
--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -1278,7 +1278,7 @@ vhost_scsi_send_evt(struct vhost_scsi *vs,
 		 * lun[4-7] need to be zero according to virtio-scsi spec.
 		 */
 		evt->event.lun[0] = 0x01;
-		evt->event.lun[1] = tpg->tport_tpgt & 0xFF;
+		evt->event.lun[1] = tpg->tport_tpgt;
 		if (lun->unpacked_lun >= 256)
 			evt->event.lun[2] = lun->unpacked_lun >> 8 | 0x40 ;
 		evt->event.lun[3] = lun->unpacked_lun & 0xFF;
@@ -2149,12 +2149,12 @@ vhost_scsi_make_tpg(struct se_wwn *wwn,
 			struct vhost_scsi_tport, tport_wwn);
 
 	struct vhost_scsi_tpg *tpg;
-	unsigned long tpgt;
+	u16 tpgt;
 	int ret;
 
 	if (strstr(name, "tpgt_") != name)
 		return ERR_PTR(-EINVAL);
-	if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
+	if (kstrtou16(name + 5, 10, &tpgt) || tpgt >= VHOST_SCSI_MAX_TARGET)
 		return ERR_PTR(-EINVAL);
 
 	tpg = kzalloc(sizeof(struct vhost_scsi_tpg), GFP_KERNEL);

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [patch] vhost/scsi: potential memory corruption
  2015-02-05  7:37 ` Dan Carpenter
@ 2015-02-06 18:48   ` Nicholas A. Bellinger
  -1 siblings, 0 replies; 5+ messages in thread
From: Nicholas A. Bellinger @ 2015-02-06 18:48 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: virtualization, kernel-janitors, linux-scsi, kvm,
	Michael S. Tsirkin

On Thu, 2015-02-05 at 10:37 +0300, Dan Carpenter wrote:
> This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
> to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.
> 
> I looked at the context and it turns out that in
> vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
> the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
> anything higher than 255 then it is invalid.  I have made that the limit
> now.
> 
> In vhost_scsi_send_evt() we mask away values higher than 255, but now
> that the limit has changed, we don't need the mask.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Compile tested only.
> 
> diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
> index 3e265ef..4339222 100644
> --- a/drivers/vhost/scsi.c
> +++ b/drivers/vhost/scsi.c
> @@ -1278,7 +1278,7 @@ vhost_scsi_send_evt(struct vhost_scsi *vs,
>  		 * lun[4-7] need to be zero according to virtio-scsi spec.
>  		 */
>  		evt->event.lun[0] = 0x01;
> -		evt->event.lun[1] = tpg->tport_tpgt & 0xFF;
> +		evt->event.lun[1] = tpg->tport_tpgt;
>  		if (lun->unpacked_lun >= 256)
>  			evt->event.lun[2] = lun->unpacked_lun >> 8 | 0x40 ;
>  		evt->event.lun[3] = lun->unpacked_lun & 0xFF;
> @@ -2149,12 +2149,12 @@ vhost_scsi_make_tpg(struct se_wwn *wwn,
>  			struct vhost_scsi_tport, tport_wwn);
>  
>  	struct vhost_scsi_tpg *tpg;
> -	unsigned long tpgt;
> +	u16 tpgt;
>  	int ret;
>  
>  	if (strstr(name, "tpgt_") != name)
>  		return ERR_PTR(-EINVAL);
> -	if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
> +	if (kstrtou16(name + 5, 10, &tpgt) || tpgt >= VHOST_SCSI_MAX_TARGET)
>  		return ERR_PTR(-EINVAL);
>  
>  	tpg = kzalloc(sizeof(struct vhost_scsi_tpg), GFP_KERNEL);

Nice catch Dan.  Applied to target-pending/for-next.

--nab




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [patch] vhost/scsi: potential memory corruption
@ 2015-02-06 18:48   ` Nicholas A. Bellinger
  0 siblings, 0 replies; 5+ messages in thread
From: Nicholas A. Bellinger @ 2015-02-06 18:48 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: virtualization, kernel-janitors, linux-scsi, kvm,
	Michael S. Tsirkin

On Thu, 2015-02-05 at 10:37 +0300, Dan Carpenter wrote:
> This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
> to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.
> 
> I looked at the context and it turns out that in
> vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
> the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
> anything higher than 255 then it is invalid.  I have made that the limit
> now.
> 
> In vhost_scsi_send_evt() we mask away values higher than 255, but now
> that the limit has changed, we don't need the mask.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Compile tested only.
> 
> diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
> index 3e265ef..4339222 100644
> --- a/drivers/vhost/scsi.c
> +++ b/drivers/vhost/scsi.c
> @@ -1278,7 +1278,7 @@ vhost_scsi_send_evt(struct vhost_scsi *vs,
>  		 * lun[4-7] need to be zero according to virtio-scsi spec.
>  		 */
>  		evt->event.lun[0] = 0x01;
> -		evt->event.lun[1] = tpg->tport_tpgt & 0xFF;
> +		evt->event.lun[1] = tpg->tport_tpgt;
>  		if (lun->unpacked_lun >= 256)
>  			evt->event.lun[2] = lun->unpacked_lun >> 8 | 0x40 ;
>  		evt->event.lun[3] = lun->unpacked_lun & 0xFF;
> @@ -2149,12 +2149,12 @@ vhost_scsi_make_tpg(struct se_wwn *wwn,
>  			struct vhost_scsi_tport, tport_wwn);
>  
>  	struct vhost_scsi_tpg *tpg;
> -	unsigned long tpgt;
> +	u16 tpgt;
>  	int ret;
>  
>  	if (strstr(name, "tpgt_") != name)
>  		return ERR_PTR(-EINVAL);
> -	if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
> +	if (kstrtou16(name + 5, 10, &tpgt) || tpgt >= VHOST_SCSI_MAX_TARGET)
>  		return ERR_PTR(-EINVAL);
>  
>  	tpg = kzalloc(sizeof(struct vhost_scsi_tpg), GFP_KERNEL);

Nice catch Dan.  Applied to target-pending/for-next.

--nab

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH] vhost/scsi: potential memory corruption
  2015-09-07  2:20 [PATCH] [request stable 3.10 inclusion] CVE-2015-4036 Wang Long
@ 2015-09-07  2:20 ` Wang Long
  0 siblings, 0 replies; 5+ messages in thread
From: Wang Long @ 2015-09-07  2:20 UTC (permalink / raw)
  To: gregkh; +Cc: stable, dan.carpenter, nab

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 59c816c1f24df0204e01851431d3bab3eb76719c upstream.

This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.

I looked at the context and it turns out that in
vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
anything higher than 255 then it is invalid.  I have made that the limit
now.

In vhost_scsi_send_evt() we mask away values higher than 255, but now
that the limit has changed, we don't need the mask.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[ The affected function was renamed to vhost_scsi_make_tpg before
  the vulnerability was announced, I ported it to 3.10 stable and
  changed the code in function tcm_vhost_make_tpg]
Signed-off-by: Wang Long <long.wanglong@huawei.com>
---
 drivers/vhost/scsi.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
index fb97bc0..2947eda 100644
--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -1088,7 +1088,7 @@ static void tcm_vhost_send_evt(struct vhost_scsi *vs, struct tcm_vhost_tpg *tpg,
 		 * lun[4-7] need to be zero according to virtio-scsi spec.
 		 */
 		evt->event.lun[0] = 0x01;
-		evt->event.lun[1] = tpg->tport_tpgt & 0xFF;
+		evt->event.lun[1] = tpg->tport_tpgt;
 		if (lun->unpacked_lun >= 256)
 			evt->event.lun[2] = lun->unpacked_lun >> 8 | 0x40 ;
 		evt->event.lun[3] = lun->unpacked_lun & 0xFF;
@@ -1894,12 +1894,12 @@ static struct se_portal_group *tcm_vhost_make_tpg(struct se_wwn *wwn,
 			struct tcm_vhost_tport, tport_wwn);
 
 	struct tcm_vhost_tpg *tpg;
-	unsigned long tpgt;
+	u16 tpgt;
 	int ret;
 
 	if (strstr(name, "tpgt_") != name)
 		return ERR_PTR(-EINVAL);
-	if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
+	if (kstrtou16(name + 5, 10, &tpgt) || tpgt >= VHOST_SCSI_MAX_TARGET)
 		return ERR_PTR(-EINVAL);
 
 	tpg = kzalloc(sizeof(struct tcm_vhost_tpg), GFP_KERNEL);
-- 
1.8.3.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-09-07  2:22 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-05  7:37 [patch] vhost/scsi: potential memory corruption Dan Carpenter
2015-02-05  7:37 ` Dan Carpenter
2015-02-06 18:48 ` Nicholas A. Bellinger
2015-02-06 18:48   ` Nicholas A. Bellinger
  -- strict thread matches above, loose matches on Subject: below --
2015-09-07  2:20 [PATCH] [request stable 3.10 inclusion] CVE-2015-4036 Wang Long
2015-09-07  2:20 ` [PATCH] vhost/scsi: potential memory corruption Wang Long

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.