[PATCH 5.10.y] scsi: core: Backport fixes for CVE-2021-47182

[PATCH 5.10.y] scsi: core: Backport fixes for CVE-2021-47182

[Vasiliy Kovalev]

The patch titled "scsi: core: Fix scsi_mode_sense() buffer length handling"
addresses CVE-2021-47182, fixing the following issues in `scsi_mode_sense()`
buffer length handling:  

1. Incorrect handling of the allocation length field in the MODE SENSE(10)
   command, causing truncation of buffer lengths larger than 255 bytes.  

2. Memory corruption when handling small buffer lengths due to lack of proper
   validation.  

Original patch submission:  
https://lore.kernel.org/all/20210820070255.682775-2-damien.lemoal@wdc.com/  

CVE announcement in linux-cve-announce:  
https://lore.kernel.org/linux-cve-announce/2024041032-CVE-2021-47182-377e@gregkh/  
Fixed versions:  
- Fixed in 5.15.5 with commit e15de347faf4  
- Fixed in 5.16 with commit 17b49bcbf835  

Official CVE entry:  
https://cve.org/CVERecord/?id=CVE-2021-47182

[PATCH 5.10.y] scsi: core: Fix scsi_mode_sense() buffer length handling

[PATCH 5.10.y] scsi: core: Fix scsi_mode_sense() buffer length handling

[Vasiliy Kovalev]

From: Damien Le Moal <damien.lemoal@wdc.com>

commit 17b49bcbf8351d3dbe57204468ac34f033ed60bc upstream.

Several problems exist with scsi_mode_sense() buffer length handling:

 1) The allocation length field of the MODE SENSE(10) command is 16-bits,
    occupying bytes 7 and 8 of the CDB. With this command, access to mode
    pages larger than 255 bytes is thus possible. However, the CDB
    allocation length field is set by assigning len to byte 8 only, thus
    truncating buffer length larger than 255.

 2) If scsi_mode_sense() is called with len smaller than 8 with
    sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length
    is increased to 8 and 4 respectively, and the buffer is zero filled
    with these increased values, thus corrupting the memory following the
    buffer.

Fix these 2 problems by using put_unaligned_be16() to set the allocation
length field of MODE SENSE(10) CDB and by returning an error when len is
too small.

Furthermore, if len is larger than 255B, always try MODE SENSE(10) first,
even if the device driver did not set sdev->use_10_for_ms. In case of
invalid opcode error for MODE SENSE(10), access to mode pages larger than
255 bytes are not retried using MODE SENSE(6). To avoid buffer length
overflows for the MODE_SENSE(10) case, check that len is smaller than 65535
bytes.

While at it, also fix the folowing:

 * Use get_unaligned_be16() to retrieve the mode data length and block
   descriptor length fields of the mode sense reply header instead of using
   an open coded calculation.

 * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable
   Block Descriptor, which is the opposite of what the dbd argument
   description was.

Link: https://lore.kernel.org/r/20210820070255.682775-2-damien.lemoal@wdc.com
Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
 drivers/scsi/scsi_lib.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 64ae7bc2de604..0a9db3464fd48 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2068,7 +2068,7 @@ EXPORT_SYMBOL_GPL(scsi_mode_select);
 /**
  *	scsi_mode_sense - issue a mode sense, falling back from 10 to six bytes if necessary.
  *	@sdev:	SCSI device to be queried
- *	@dbd:	set if mode sense will allow block descriptors to be returned
+ *	@dbd:	set to prevent mode sense from returning block descriptors
  *	@modepage: mode page being requested
  *	@buffer: request buffer (may not be smaller than eight bytes)
  *	@len:	length of request buffer.
@@ -2103,18 +2103,18 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
 		sshdr = &my_sshdr;
 
  retry:
-	use_10_for_ms = sdev->use_10_for_ms;
+	use_10_for_ms = sdev->use_10_for_ms || len > 255;
 
 	if (use_10_for_ms) {
-		if (len < 8)
-			len = 8;
+		if (len < 8 || len > 65535)
+			return -EINVAL;
 
 		cmd[0] = MODE_SENSE_10;
-		cmd[8] = len;
+		put_unaligned_be16(len, &cmd[7]);
 		header_length = 8;
 	} else {
 		if (len < 4)
-			len = 4;
+			return -EINVAL;
 
 		cmd[0] = MODE_SENSE;
 		cmd[4] = len;
@@ -2139,8 +2139,14 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
 			if ((sshdr->sense_key == ILLEGAL_REQUEST) &&
 			    (sshdr->asc == 0x20) && (sshdr->ascq == 0)) {
 				/*
-				 * Invalid command operation code
+				 * Invalid command operation code: retry using
+				 * MODE SENSE(6) if this was a MODE SENSE(10)
+				 * request, except if the request mode page is
+				 * too large for MODE SENSE single byte
+				 * allocation length field.
 				 */
+				if (len > 255)
+					return -EIO;
 				sdev->use_10_for_ms = 0;
 				goto retry;
 			}
@@ -2158,12 +2164,11 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
 			data->longlba = 0;
 			data->block_descriptor_length = 0;
 		} else if (use_10_for_ms) {
-			data->length = buffer[0]*256 + buffer[1] + 2;
+			data->length = get_unaligned_be16(&buffer[0]) + 2;
 			data->medium_type = buffer[2];
 			data->device_specific = buffer[3];
 			data->longlba = buffer[4] & 0x01;
-			data->block_descriptor_length = buffer[6]*256
-				+ buffer[7];
+			data->block_descriptor_length = get_unaligned_be16(&buffer[6]);
 		} else {
 			data->length = buffer[0] + 1;
 			data->medium_type = buffer[1];
-- 
2.33.8

Re: [PATCH 5.10.y] scsi: core: Fix scsi_mode_sense() buffer length handling

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 17b49bcbf8351d3dbe57204468ac34f033ed60bc

WARNING: Author mismatch between patch and upstream commit:
Backport author: Vasiliy Kovalev <kovalev@altlinux.org>
Commit author: Damien Le Moal <damien.lemoal@wdc.com>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.11.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (exact SHA1)
5.15.y | Present (different SHA1: e15de347faf4)
5.10.y | Not found

Note: The patch differs from the upstream commit:
---
--- -	2024-11-22 14:28:14.472822873 -0500
+++ /tmp/tmp.ZvzLslfZma	2024-11-22 14:28:14.464095287 -0500
@@ -1,3 +1,5 @@
+commit 17b49bcbf8351d3dbe57204468ac34f033ed60bc upstream.
+
 Several problems exist with scsi_mode_sense() buffer length handling:
 
  1) The allocation length field of the MODE SENSE(10) command is 16-bits,
@@ -36,15 +38,16 @@
 Link: https://lore.kernel.org/r/20210820070255.682775-2-damien.lemoal@wdc.com
 Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
 Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
 ---
  drivers/scsi/scsi_lib.c | 25 +++++++++++++++----------
  1 file changed, 15 insertions(+), 10 deletions(-)
 
 diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
-index 572673873ddf8..701d8e8480f22 100644
+index 64ae7bc2de604..0a9db3464fd48 100644
 --- a/drivers/scsi/scsi_lib.c
 +++ b/drivers/scsi/scsi_lib.c
-@@ -2075,7 +2075,7 @@ EXPORT_SYMBOL_GPL(scsi_mode_select);
+@@ -2068,7 +2068,7 @@ EXPORT_SYMBOL_GPL(scsi_mode_select);
  /**
   *	scsi_mode_sense - issue a mode sense, falling back from 10 to six bytes if necessary.
   *	@sdev:	SCSI device to be queried
@@ -53,7 +56,7 @@
   *	@modepage: mode page being requested
   *	@buffer: request buffer (may not be smaller than eight bytes)
   *	@len:	length of request buffer.
-@@ -2110,18 +2110,18 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
+@@ -2103,18 +2103,18 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
  		sshdr = &my_sshdr;
  
   retry:
@@ -77,7 +80,7 @@
  
  		cmd[0] = MODE_SENSE;
  		cmd[4] = len;
-@@ -2145,9 +2145,15 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
+@@ -2139,8 +2139,14 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
  			if ((sshdr->sense_key == ILLEGAL_REQUEST) &&
  			    (sshdr->asc == 0x20) && (sshdr->ascq == 0)) {
  				/*
@@ -88,24 +91,26 @@
 +				 * too large for MODE SENSE single byte
 +				 * allocation length field.
  				 */
- 				if (use_10_for_ms) {
-+					if (len > 255)
-+						return -EIO;
- 					sdev->use_10_for_ms = 0;
- 					goto retry;
- 				}
-@@ -2171,12 +2177,11 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
- 		data->longlba = 0;
- 		data->block_descriptor_length = 0;
- 	} else if (use_10_for_ms) {
--		data->length = buffer[0]*256 + buffer[1] + 2;
-+		data->length = get_unaligned_be16(&buffer[0]) + 2;
- 		data->medium_type = buffer[2];
- 		data->device_specific = buffer[3];
- 		data->longlba = buffer[4] & 0x01;
--		data->block_descriptor_length = buffer[6]*256
--			+ buffer[7];
-+		data->block_descriptor_length = get_unaligned_be16(&buffer[6]);
- 	} else {
- 		data->length = buffer[0] + 1;
- 		data->medium_type = buffer[1];
++				if (len > 255)
++					return -EIO;
+ 				sdev->use_10_for_ms = 0;
+ 				goto retry;
+ 			}
+@@ -2158,12 +2164,11 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
+ 			data->longlba = 0;
+ 			data->block_descriptor_length = 0;
+ 		} else if (use_10_for_ms) {
+-			data->length = buffer[0]*256 + buffer[1] + 2;
++			data->length = get_unaligned_be16(&buffer[0]) + 2;
+ 			data->medium_type = buffer[2];
+ 			data->device_specific = buffer[3];
+ 			data->longlba = buffer[4] & 0x01;
+-			data->block_descriptor_length = buffer[6]*256
+-				+ buffer[7];
++			data->block_descriptor_length = get_unaligned_be16(&buffer[6]);
+ 		} else {
+ 			data->length = buffer[0] + 1;
+ 			data->medium_type = buffer[1];
+-- 
+2.33.8
+
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.10.y       |  Success    |  Success   |