Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
"This is two minor bug fixes (aacraid, target) and a fix for a
potential exploit in the way sg handles teardown"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: sg: mitigate read/write abuse
scsi: aacraid: Fix PD performance regression over incorrect qd being set
scsi: target: Fix truncated PR-in ReadKeys response

+57 -15
+7 -8
drivers/scsi/aacraid/aachba.c
··· 1974 1974 u32 lun_count, nexus; 1975 1975 u32 i, bus, target; 1976 1976 u8 expose_flag, attribs; 1977 - u8 devtype; 1978 1977 1979 1978 lun_count = aac_get_safw_phys_lun_count(dev); 1980 1979 ··· 1991 1992 continue; 1992 1993 1993 1994 if (expose_flag != 0) { 1994 - devtype = AAC_DEVTYPE_RAID_MEMBER; 1995 - goto update_devtype; 1995 + dev->hba_map[bus][target].devtype = 1996 + AAC_DEVTYPE_RAID_MEMBER; 1997 + continue; 1996 1998 } 1997 1999 1998 2000 if (nexus != 0 && (attribs & 8)) { 1999 - devtype = AAC_DEVTYPE_NATIVE_RAW; 2001 + dev->hba_map[bus][target].devtype = 2002 + AAC_DEVTYPE_NATIVE_RAW; 2000 2003 dev->hba_map[bus][target].rmw_nexus = 2001 2004 nexus; 2002 2005 } else 2003 - devtype = AAC_DEVTYPE_ARC_RAW; 2006 + dev->hba_map[bus][target].devtype = 2007 + AAC_DEVTYPE_ARC_RAW; 2004 2008 2005 2009 dev->hba_map[bus][target].scan_counter = dev->scan_counter; 2006 2010 2007 2011 aac_set_safw_target_qd(dev, bus, target); 2008 - 2009 - update_devtype: 2010 - dev->hba_map[bus][target].devtype = devtype; 2011 2012 } 2012 2013 } 2013 2014
+40 -2
drivers/scsi/sg.c
··· 51 51 #include <linux/atomic.h> 52 52 #include <linux/ratelimit.h> 53 53 #include <linux/uio.h> 54 + #include <linux/cred.h> /* for sg_check_file_access() */ 54 55 55 56 #include "scsi.h" 56 57 #include <scsi/scsi_dbg.h> ··· 209 208 #define sg_printk(prefix, sdp, fmt, a...) \ 210 209 sdev_prefix_printk(prefix, (sdp)->device, \ 211 210 (sdp)->disk->disk_name, fmt, ##a) 211 + 212 + /* 213 + * The SCSI interfaces that use read() and write() as an asynchronous variant of 214 + * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways 215 + * to trigger read() and write() calls from various contexts with elevated 216 + * privileges. This can lead to kernel memory corruption (e.g. if these 217 + * interfaces are called through splice()) and privilege escalation inside 218 + * userspace (e.g. if a process with access to such a device passes a file 219 + * descriptor to a SUID binary as stdin/stdout/stderr). 220 + * 221 + * This function provides protection for the legacy API by restricting the 222 + * calling context. 223 + */ 224 + static int sg_check_file_access(struct file *filp, const char *caller) 225 + { 226 + if (filp->f_cred != current_real_cred()) { 227 + pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n", 228 + caller, task_tgid_vnr(current), current->comm); 229 + return -EPERM; 230 + } 231 + if (uaccess_kernel()) { 232 + pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n", 233 + caller, task_tgid_vnr(current), current->comm); 234 + return -EACCES; 235 + } 236 + return 0; 237 + } 212 238 213 239 static int sg_allow_access(struct file *filp, unsigned char *cmd) 214 240 { ··· 420 392 sg_io_hdr_t *hp; 421 393 struct sg_header *old_hdr = NULL; 422 394 int retval = 0; 395 + 396 + /* 397 + * This could cause a response to be stranded. Close the associated 398 + * file descriptor to free up any resources being held. 399 + */ 400 + retval = sg_check_file_access(filp, __func__); 401 + if (retval) 402 + return retval; 423 403 424 404 if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) 425 405 return -ENXIO; ··· 616 580 struct sg_header old_hdr; 617 581 sg_io_hdr_t *hp; 618 582 unsigned char cmnd[SG_MAX_CDB_SIZE]; 583 + int retval; 619 584 620 - if (unlikely(uaccess_kernel())) 621 - return -EINVAL; 585 + retval = sg_check_file_access(filp, __func__); 586 + if (retval) 587 + return retval; 622 588 623 589 if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) 624 590 return -ENXIO;
+10 -5
drivers/target/target_core_pr.c
··· 3727 3727 * Check for overflow of 8byte PRI READ_KEYS payload and 3728 3728 * next reservation key list descriptor. 3729 3729 */ 3730 - if ((add_len + 8) > (cmd->data_length - 8)) 3731 - break; 3732 - 3733 - put_unaligned_be64(pr_reg->pr_res_key, &buf[off]); 3734 - off += 8; 3730 + if (off + 8 <= cmd->data_length) { 3731 + put_unaligned_be64(pr_reg->pr_res_key, &buf[off]); 3732 + off += 8; 3733 + } 3734 + /* 3735 + * SPC5r17: 6.16.2 READ KEYS service action 3736 + * The ADDITIONAL LENGTH field indicates the number of bytes in 3737 + * the Reservation key list. The contents of the ADDITIONAL 3738 + * LENGTH field are not altered based on the allocation length 3739 + */ 3735 3740 add_len += 8; 3736 3741 } 3737 3742 spin_unlock(&dev->t10_pr.registration_lock);