[PATCH v2 5.10.y 0/3] scsi: Backport fixes for CVE-2021-47182

[PATCH v2 5.10.y 0/3] scsi: Backport fixes for CVE-2021-47182

[Vasiliy Kovalev]

The patch titled "scsi: core: Fix scsi_mode_sense() buffer length handling"
addresses CVE-2021-47182, fixing the following issues in `scsi_mode_sense()`
buffer length handling:  

1. Incorrect handling of the allocation length field in the MODE SENSE(10)
   command, causing truncation of buffer lengths larger than 255 bytes.  

2. Memory corruption when handling small buffer lengths due to lack of proper
   validation.  

CVE announcement in linux-cve-announce:  
https://lore.kernel.org/linux-cve-announce/2024041032-CVE-2021-47182-377e@gregkh/  
Fixed versions:  
- Fixed in 5.15.5 with commit e15de347faf4  
- Fixed in 5.16 with commit 17b49bcbf835  

Official CVE entry:  
https://cve.org/CVERecord/?id=CVE-2021-47182

---
v2: To ensure consistency and completeness of the fixes, this backport
includes all 3 patches from the series [1].
In addition to the first patch that addresses the CVE, the second and
third patches are included, which prevent further regressions and align
with the fixes already backported and proposed for backporting [2] to
the stable 5.15 kernel.

[1] https://lore.kernel.org/all/20210820070255.682775-1-damien.lemoal@wdc.com/
[2] https://lore.kernel.org/all/20241209165340.112862-1-kovalev@altlinux.org/

[PATCH 5.10.y 1/3] scsi: core: Fix scsi_mode_sense() buffer length handling
[PATCH 5.10.y 2/3] scsi: core: Fix scsi_mode_select() buffer length handling
[PATCH 5.10.y 3/3] scsi: sd: Fix sd_do_mode_sense() buffer length handling

[PATCH 5.10.y 1/3] scsi: core: Fix scsi_mode_sense() buffer length handling

[Vasiliy Kovalev]

From: Damien Le Moal <damien.lemoal@wdc.com>

commit 17b49bcbf8351d3dbe57204468ac34f033ed60bc upstream.

Several problems exist with scsi_mode_sense() buffer length handling:

 1) The allocation length field of the MODE SENSE(10) command is 16-bits,
    occupying bytes 7 and 8 of the CDB. With this command, access to mode
    pages larger than 255 bytes is thus possible. However, the CDB
    allocation length field is set by assigning len to byte 8 only, thus
    truncating buffer length larger than 255.

 2) If scsi_mode_sense() is called with len smaller than 8 with
    sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length
    is increased to 8 and 4 respectively, and the buffer is zero filled
    with these increased values, thus corrupting the memory following the
    buffer.

Fix these 2 problems by using put_unaligned_be16() to set the allocation
length field of MODE SENSE(10) CDB and by returning an error when len is
too small.

Furthermore, if len is larger than 255B, always try MODE SENSE(10) first,
even if the device driver did not set sdev->use_10_for_ms. In case of
invalid opcode error for MODE SENSE(10), access to mode pages larger than
255 bytes are not retried using MODE SENSE(6). To avoid buffer length
overflows for the MODE_SENSE(10) case, check that len is smaller than 65535
bytes.

While at it, also fix the folowing:

 * Use get_unaligned_be16() to retrieve the mode data length and block
   descriptor length fields of the mode sense reply header instead of using
   an open coded calculation.

 * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable
   Block Descriptor, which is the opposite of what the dbd argument
   description was.

Link: https://lore.kernel.org/r/20210820070255.682775-2-damien.lemoal@wdc.com
Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
 drivers/scsi/scsi_lib.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 64ae7bc2de6040..0a9db3464fd48e 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2068,7 +2068,7 @@ EXPORT_SYMBOL_GPL(scsi_mode_select);
 /**
  *	scsi_mode_sense - issue a mode sense, falling back from 10 to six bytes if necessary.
  *	@sdev:	SCSI device to be queried
- *	@dbd:	set if mode sense will allow block descriptors to be returned
+ *	@dbd:	set to prevent mode sense from returning block descriptors
  *	@modepage: mode page being requested
  *	@buffer: request buffer (may not be smaller than eight bytes)
  *	@len:	length of request buffer.
@@ -2103,18 +2103,18 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
 		sshdr = &my_sshdr;
 
  retry:
-	use_10_for_ms = sdev->use_10_for_ms;
+	use_10_for_ms = sdev->use_10_for_ms || len > 255;
 
 	if (use_10_for_ms) {
-		if (len < 8)
-			len = 8;
+		if (len < 8 || len > 65535)
+			return -EINVAL;
 
 		cmd[0] = MODE_SENSE_10;
-		cmd[8] = len;
+		put_unaligned_be16(len, &cmd[7]);
 		header_length = 8;
 	} else {
 		if (len < 4)
-			len = 4;
+			return -EINVAL;
 
 		cmd[0] = MODE_SENSE;
 		cmd[4] = len;
@@ -2139,8 +2139,14 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
 			if ((sshdr->sense_key == ILLEGAL_REQUEST) &&
 			    (sshdr->asc == 0x20) && (sshdr->ascq == 0)) {
 				/*
-				 * Invalid command operation code
+				 * Invalid command operation code: retry using
+				 * MODE SENSE(6) if this was a MODE SENSE(10)
+				 * request, except if the request mode page is
+				 * too large for MODE SENSE single byte
+				 * allocation length field.
 				 */
+				if (len > 255)
+					return -EIO;
 				sdev->use_10_for_ms = 0;
 				goto retry;
 			}
@@ -2158,12 +2164,11 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
 			data->longlba = 0;
 			data->block_descriptor_length = 0;
 		} else if (use_10_for_ms) {
-			data->length = buffer[0]*256 + buffer[1] + 2;
+			data->length = get_unaligned_be16(&buffer[0]) + 2;
 			data->medium_type = buffer[2];
 			data->device_specific = buffer[3];
 			data->longlba = buffer[4] & 0x01;
-			data->block_descriptor_length = buffer[6]*256
-				+ buffer[7];
+			data->block_descriptor_length = get_unaligned_be16(&buffer[6]);
 		} else {
 			data->length = buffer[0] + 1;
 			data->medium_type = buffer[1];
-- 
2.33.8

[PATCH 5.10.y 2/3] scsi: core: Fix scsi_mode_select() buffer length handling

[Vasiliy Kovalev]

From: Damien Le Moal <damien.lemoal@wdc.com>

commit a7d6840bed0c2b16ac3071b74b5fcf08fc488241 upstream.

The MODE SELECT(6) command allows handling mode page buffers that are up to
255 bytes, including the 4 byte header needed in front of the page
buffer. For requests larger than this limit, automatically use the MODE
SELECT(10) command.

In both cases, since scsi_mode_select() adds the mode select page header,
checks on the buffer length value must include this header size to avoid
overflows of the command CDB allocation length field.

While at it, use put_unaligned_be16() for setting the header block
descriptor length and CDB allocation length when using MODE SELECT(10).

[mkp: fix MODE SENSE vs. MODE SELECT confusion]

Link: https://lore.kernel.org/r/20210820070255.682775-3-damien.lemoal@wdc.com
Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
 drivers/scsi/scsi_lib.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 0a9db3464fd48e..06838cf5300d00 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2019,8 +2019,15 @@ scsi_mode_select(struct scsi_device *sdev, int pf, int sp, int modepage,
 	memset(cmd, 0, sizeof(cmd));
 	cmd[1] = (pf ? 0x10 : 0) | (sp ? 0x01 : 0);
 
-	if (sdev->use_10_for_ms) {
-		if (len > 65535)
+	/*
+	 * Use MODE SELECT(10) if the device asked for it or if the mode page
+	 * and the mode select header cannot fit within the maximumm 255 bytes
+	 * of the MODE SELECT(6) command.
+	 */
+	if (sdev->use_10_for_ms ||
+	    len + 4 > 255 ||
+	    data->block_descriptor_length > 255) {
+		if (len > 65535 - 8)
 			return -EINVAL;
 		real_buffer = kmalloc(8 + len, GFP_KERNEL);
 		if (!real_buffer)
@@ -2033,15 +2040,13 @@ scsi_mode_select(struct scsi_device *sdev, int pf, int sp, int modepage,
 		real_buffer[3] = data->device_specific;
 		real_buffer[4] = data->longlba ? 0x01 : 0;
 		real_buffer[5] = 0;
-		real_buffer[6] = data->block_descriptor_length >> 8;
-		real_buffer[7] = data->block_descriptor_length;
+		put_unaligned_be16(data->block_descriptor_length,
+				   &real_buffer[6]);
 
 		cmd[0] = MODE_SELECT_10;
-		cmd[7] = len >> 8;
-		cmd[8] = len;
+		put_unaligned_be16(len, &cmd[7]);
 	} else {
-		if (len > 255 || data->block_descriptor_length > 255 ||
-		    data->longlba)
+		if (data->longlba)
 			return -EINVAL;
 
 		real_buffer = kmalloc(4 + len, GFP_KERNEL);
-- 
2.33.8

[PATCH 5.10.y 3/3] scsi: sd: Fix sd_do_mode_sense() buffer length handling

[Vasiliy Kovalev]

From: Damien Le Moal <damien.lemoal@wdc.com>

commit c749301ebee82eb5e97dec14b6ab31a4aabe37a6 upstream.

For devices that explicitly asked for MODE SENSE(10) use, make sure that
scsi_mode_sense() is called with a buffer of at least 8 bytes so that the
sense header fits.

Link: https://lore.kernel.org/r/20210820070255.682775-4-damien.lemoal@wdc.com
Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
 drivers/scsi/sd.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index f2dfd9853d3432..2f2ca287887603 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2649,6 +2649,13 @@ sd_do_mode_sense(struct scsi_disk *sdkp, int dbd, int modepage,
 		 unsigned char *buffer, int len, struct scsi_mode_data *data,
 		 struct scsi_sense_hdr *sshdr)
 {
+	/*
+	 * If we must use MODE SENSE(10), make sure that the buffer length
+	 * is at least 8 bytes so that the mode sense header fits.
+	 */
+	if (sdkp->device->use_10_for_ms && len < 8)
+		len = 8;
+
 	return scsi_mode_sense(sdkp->device, dbd, modepage, buffer, len,
 			       SD_TIMEOUT, sdkp->max_retries, data,
 			       sshdr);
-- 
2.33.8

Re: [PATCH 5.10.y 3/3] scsi: sd: Fix sd_do_mode_sense() buffer length handling

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: c749301ebee82eb5e97dec14b6ab31a4aabe37a6

WARNING: Author mismatch between patch and upstream commit:
Backport author: Vasiliy Kovalev <kovalev@altlinux.org>
Commit author: Damien Le Moal <damien.lemoal@wdc.com>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (exact SHA1)
5.15.y | Present (different SHA1: c82cd4eed128)
5.10.y | Not found

Note: The patch differs from the upstream commit:
---
1:  c749301ebee82 ! 1:  f6b467ad3c189 scsi: sd: Fix sd_do_mode_sense() buffer length handling
    @@ Metadata
      ## Commit message ##
         scsi: sd: Fix sd_do_mode_sense() buffer length handling
     
    +    commit c749301ebee82eb5e97dec14b6ab31a4aabe37a6 upstream.
    +
         For devices that explicitly asked for MODE SENSE(10) use, make sure that
         scsi_mode_sense() is called with a buffer of at least 8 bytes so that the
         sense header fits.
    @@ Commit message
         Link: https://lore.kernel.org/r/20210820070255.682775-4-damien.lemoal@wdc.com
         Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
         Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    +    Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
     
      ## drivers/scsi/sd.c ##
     @@ drivers/scsi/sd.c: sd_do_mode_sense(struct scsi_disk *sdkp, int dbd, int modepage,
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.10.y       |  Success    |  Success   |

Re: [PATCH 5.10.y 1/3] scsi: core: Fix scsi_mode_sense() buffer length handling

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 17b49bcbf8351d3dbe57204468ac34f033ed60bc

WARNING: Author mismatch between patch and upstream commit:
Backport author: Vasiliy Kovalev <kovalev@altlinux.org>
Commit author: Damien Le Moal <damien.lemoal@wdc.com>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (exact SHA1)
5.15.y | Present (different SHA1: e15de347faf4)
5.10.y | Not found

Note: The patch differs from the upstream commit:
---
1:  17b49bcbf8351 ! 1:  5e9ba35e00eb9 scsi: core: Fix scsi_mode_sense() buffer length handling
    @@ Metadata
      ## Commit message ##
         scsi: core: Fix scsi_mode_sense() buffer length handling
     
    +    commit 17b49bcbf8351d3dbe57204468ac34f033ed60bc upstream.
    +
         Several problems exist with scsi_mode_sense() buffer length handling:
     
          1) The allocation length field of the MODE SENSE(10) command is 16-bits,
    @@ Commit message
         Link: https://lore.kernel.org/r/20210820070255.682775-2-damien.lemoal@wdc.com
         Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
         Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    +    Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
     
      ## drivers/scsi/scsi_lib.c ##
     @@ drivers/scsi/scsi_lib.c: EXPORT_SYMBOL_GPL(scsi_mode_select);
    @@ drivers/scsi/scsi_lib.c: scsi_mode_sense(struct scsi_device *sdev, int dbd, int
     +				 * too large for MODE SENSE single byte
     +				 * allocation length field.
      				 */
    - 				if (use_10_for_ms) {
    -+					if (len > 255)
    -+						return -EIO;
    - 					sdev->use_10_for_ms = 0;
    - 					goto retry;
    - 				}
    ++				if (len > 255)
    ++					return -EIO;
    + 				sdev->use_10_for_ms = 0;
    + 				goto retry;
    + 			}
     @@ drivers/scsi/scsi_lib.c: scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage,
    - 		data->longlba = 0;
    - 		data->block_descriptor_length = 0;
    - 	} else if (use_10_for_ms) {
    --		data->length = buffer[0]*256 + buffer[1] + 2;
    -+		data->length = get_unaligned_be16(&buffer[0]) + 2;
    - 		data->medium_type = buffer[2];
    - 		data->device_specific = buffer[3];
    - 		data->longlba = buffer[4] & 0x01;
    --		data->block_descriptor_length = buffer[6]*256
    --			+ buffer[7];
    -+		data->block_descriptor_length = get_unaligned_be16(&buffer[6]);
    - 	} else {
    - 		data->length = buffer[0] + 1;
    - 		data->medium_type = buffer[1];
    + 			data->longlba = 0;
    + 			data->block_descriptor_length = 0;
    + 		} else if (use_10_for_ms) {
    +-			data->length = buffer[0]*256 + buffer[1] + 2;
    ++			data->length = get_unaligned_be16(&buffer[0]) + 2;
    + 			data->medium_type = buffer[2];
    + 			data->device_specific = buffer[3];
    + 			data->longlba = buffer[4] & 0x01;
    +-			data->block_descriptor_length = buffer[6]*256
    +-				+ buffer[7];
    ++			data->block_descriptor_length = get_unaligned_be16(&buffer[6]);
    + 		} else {
    + 			data->length = buffer[0] + 1;
    + 			data->medium_type = buffer[1];
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.10.y       |  Success    |  Success   |

Re: [PATCH 5.10.y 2/3] scsi: core: Fix scsi_mode_select() buffer length handling

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: a7d6840bed0c2b16ac3071b74b5fcf08fc488241

WARNING: Author mismatch between patch and upstream commit:
Backport author: Vasiliy Kovalev <kovalev@altlinux.org>
Commit author: Damien Le Moal <damien.lemoal@wdc.com>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (exact SHA1)
5.15.y | Not found
5.10.y | Not found

Note: The patch differs from the upstream commit:
---
1:  a7d6840bed0c2 ! 1:  4826a9616670c scsi: core: Fix scsi_mode_select() buffer length handling
    @@ Metadata
      ## Commit message ##
         scsi: core: Fix scsi_mode_select() buffer length handling
     
    +    commit a7d6840bed0c2b16ac3071b74b5fcf08fc488241 upstream.
    +
         The MODE SELECT(6) command allows handling mode page buffers that are up to
         255 bytes, including the 4 byte header needed in front of the page
         buffer. For requests larger than this limit, automatically use the MODE
    @@ Commit message
         Link: https://lore.kernel.org/r/20210820070255.682775-3-damien.lemoal@wdc.com
         Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
         Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    +    Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
     
      ## drivers/scsi/scsi_lib.c ##
     @@ drivers/scsi/scsi_lib.c: scsi_mode_select(struct scsi_device *sdev, int pf, int sp, int modepage,
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.10.y       |  Success    |  Success   |

Re: [PATCH v2 5.10.y 0/3] scsi: Backport fixes for CVE-2021-47182

[Vasiliy Kovalev]

Hi Greg,

09.12.2024 20:03, Vasiliy Kovalev wrote:
> The patch titled "scsi: core: Fix scsi_mode_sense() buffer length handling"
> addresses CVE-2021-47182, fixing the following issues in `scsi_mode_sense()`
> buffer length handling:
> 
> 1. Incorrect handling of the allocation length field in the MODE SENSE(10)
>     command, causing truncation of buffer lengths larger than 255 bytes.
> 
> 2. Memory corruption when handling small buffer lengths due to lack of proper
>     validation.
> 
> CVE announcement in linux-cve-announce:
> https://lore.kernel.org/linux-cve-announce/2024041032-CVE-2021-47182-377e@gregkh/
> Fixed versions:
> - Fixed in 5.15.5 with commit e15de347faf4
> - Fixed in 5.16 with commit 17b49bcbf835
> 
> Official CVE entry:
> https://cve.org/CVERecord/?id=CVE-2021-47182
> 
> ---
> v2: To ensure consistency and completeness of the fixes, this backport
> includes all 3 patches from the series [1].
> In addition to the first patch that addresses the CVE, the second and
> third patches are included, which prevent further regressions and align
> with the fixes already backported and proposed for backporting [2] to
> the stable 5.15 kernel.
> 
> [1] https://lore.kernel.org/all/20210820070255.682775-1-damien.lemoal@wdc.com/
> [2] https://lore.kernel.org/all/20241209165340.112862-1-kovalev@altlinux.org/
> 
> [PATCH 5.10.y 1/3] scsi: core: Fix scsi_mode_sense() buffer length handling

Please add this [1] missing commit from this series to queue 5.10.y.

[1] 
https://lore.kernel.org/all/20241209170330.113179-2-kovalev@altlinux.org/

The other two have already been added in 5.10.231:

> [PATCH 5.10.y 2/3] scsi: core: Fix scsi_mode_select() buffer length handling
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.15.y&id=154cf95664de63382a397205ea6254ed5b769ec2

> [PATCH 5.10.y 3/3] scsi: sd: Fix sd_do_mode_sense() buffer length handling
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=a0777b45095f5ec3c220f074cfc9cc9721a455b0

> 

-- 
--
Thanks,
Vasiliy