[linux] 02/18: sg: Fix double-free when drives detach during SG_IO (CVE-2015-8962)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Dec 29 03:44:11 UTC 2016


This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie
in repository linux.

commit 51cd4c2300295f301c118434965beef82a28f3ee
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Dec 28 22:35:45 2016 +0000

    sg: Fix double-free when drives detach during SG_IO (CVE-2015-8962)
---
 debian/changelog                                   |  1 +
 ...uble-free-when-drives-detach-during-sg_io.patch | 66 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 68 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index bb04077..0c297d2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -489,6 +489,7 @@ linux (3.16.39-1) UNRELEASED; urgency=medium
   * fsnotify: Ignore ABI change in 3.16.39
   * Fix backport of "fs: Give dentry to inode_change_ok() instead of inode"
     in fuse, xfs
+  * sg: Fix double-free when drives detach during SG_IO (CVE-2015-8962)
 
   [ Julien Cristau ]
   * hwrng: Add chaoskey driver, backported from 4.8 (Closes: #839616)
diff --git a/debian/patches/bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch b/debian/patches/bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
new file mode 100644
index 0000000..97c78b8
--- /dev/null
+++ b/debian/patches/bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
@@ -0,0 +1,66 @@
+From: Calvin Owens <calvinowens at fb.com>
+Date: Fri, 30 Oct 2015 16:57:00 -0700
+Subject: sg: Fix double-free when drives detach during SG_IO
+Origin: https://git.kernel.org/linus/f3951a3709ff50990bf3e188c27d346792103432
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8962
+
+In sg_common_write(), we free the block request and return -ENODEV if
+the device is detached in the middle of the SG_IO ioctl().
+
+Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
+end up freeing rq->cmd in the already free rq object, and then free
+the object itself out from under the current user.
+
+This ends up corrupting random memory via the list_head on the rq
+object. The most common crash trace I saw is this:
+
+  ------------[ cut here ]------------
+  kernel BUG at block/blk-core.c:1420!
+  Call Trace:
+  [<ffffffff81281eab>] blk_put_request+0x5b/0x80
+  [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
+  [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
+  [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
+  [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
+  [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
+  [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
+  [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
+  [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
+  [<ffffffff81602afb>] tracesys+0xdd/0xe2
+    RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
+
+The solution is straightforward: just set srp->rq to NULL in the
+failure branch so that sg_finish_rem_req() doesn't attempt to re-free
+it.
+
+Additionally, since sg_rq_end_io() will never be called on the object
+when this happens, we need to free memory backing ->cmd if it isn't
+embedded in the object itself.
+
+KASAN was extremely helpful in finding the root cause of this bug.
+
+Signed-off-by: Calvin Owens <calvinowens at fb.com>
+Acked-by: Douglas Gilbert <dgilbert at interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
+[bwh: Backported to 3.16:
+ - sg_finish_rem_req() would not free srp->rq->cmd so don't do it here either
+ - Adjust context]
+---
+ drivers/scsi/sg.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -766,8 +766,11 @@ sg_common_write(Sg_fd * sfp, Sg_request
+ 		return k;	/* probably out of space --> ENOMEM */
+ 	}
+ 	if (sdp->detached) {
+-		if (srp->bio)
++		if (srp->bio) {
+ 			blk_end_request_all(srp->rq, -EIO);
++			srp->rq = NULL;
++		}
++
+ 		sg_finish_rem_req(srp);
+ 		return -ENODEV;
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index e669271..550ca0d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -657,6 +657,7 @@ features/all/chaoskey/hwrng-chaoskey-Fix-URB-warning-due-to-timeout-on-Ale.patch
 features/all/chaoskey/chaoskey-3.16-no-hwrng-quality.patch
 
 # Security fixes
+bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git



More information about the Kernel-svn-changes mailing list