[linux] 10/10: sg_write()/bsg_write() is not fit to be called under KERNEL_DS (CVE-2016-9576)

Wed Dec 28 20:44:03 UTC 2016

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit d8cef48e69ba67583c1fc2ec8953538218054cfe
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Dec 28 17:52:46 2016 +0000

    sg_write()/bsg_write() is not fit to be called under KERNEL_DS (CVE-2016-9576)
---
 debian/changelog                                   |  2 ++
 ...g_write-is-not-fit-to-be-called-under-ker.patch | 42 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 45 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e4f156c..dbee676 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -111,6 +111,8 @@ linux (3.2.84-1) UNRELEASED; urgency=medium
   * net: ping: check minimum size on ICMP header length (CVE-2016-8399)
   * packet: fix race condition in packet_set_ring (CVE-2016-8655)
   * sctp: validate chunk len before actually using it (CVE-2016-9555)
+  * sg_write()/bsg_write() is not fit to be called under KERNEL_DS
+    (CVE-2016-9576)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 28 Nov 2016 18:43:52 +0000
 
diff --git a/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch b/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
new file mode 100644
index 0000000..f25980c
--- /dev/null
+++ b/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
@@ -0,0 +1,42 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Fri, 16 Dec 2016 13:42:06 -0500
+Subject: sg_write()/bsg_write() is not fit to be called under KERNEL_DS
+Origin: https://git.kernel.org/linus/128394eff343fc6d2f32172f03e24829539c5835
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9576
+
+Both damn things interpret userland pointers embedded into the payload;
+worse, they are actually traversing those.  Leaving aside the bad
+API design, this is very much _not_ safe to call with KERNEL_DS.
+Bail out early if that happens.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ block/bsg.c       | 3 +++
+ drivers/scsi/sg.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/block/bsg.c
++++ b/block/bsg.c
+@@ -675,6 +675,9 @@ bsg_write(struct file *file, const char
+ 
+ 	dprintk("%s: write %Zd bytes\n", bd->name, count);
+ 
++	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
++		return -EINVAL;
++
+ 	bsg_set_block(bd, file);
+ 
+ 	bytes_written = 0;
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -544,6 +544,9 @@ sg_write(struct file *filp, const char _
+ 	sg_io_hdr_t *hp;
+ 	unsigned char cmnd[MAX_COMMAND_SIZE];
+ 
++	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
++		return -EINVAL;
++
+ 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
+ 		return -ENXIO;
+ 	SCSI_LOG_TIMEOUT(3, printk("sg_write: %s, count=%d\n",
diff --git a/debian/patches/series b/debian/patches/series
index 933dce4..101f5e7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1116,6 +1116,7 @@ bugfix/all/hid-core-prevent-out-of-bound-readings.patch
 bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch
 bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
 bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
+bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

