[linux] 14/18: sg_write()/bsg_write() is not fit to be called under KERNEL_DS (CVE-2016-9576)

Thu Dec 29 03:44:12 UTC 2016

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie
in repository linux.

commit 160c700612e57b2939fda763430e08dd089b2496
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Dec 28 23:45:08 2016 +0000

    sg_write()/bsg_write() is not fit to be called under KERNEL_DS (CVE-2016-9576)
---
 debian/changelog                                   |  2 ++
 ...g_write-is-not-fit-to-be-called-under-ker.patch | 42 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 45 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 5c8fa34..2d8f8e4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -504,6 +504,8 @@ linux (3.16.39-1) UNRELEASED; urgency=medium
   * packet: fix race condition in packet_set_ring (CVE-2016-8655)
   * [x86] Fix potential infoleak in older kernels (CVE-2016-9178)
   * sctp: validate chunk len before actually using it (CVE-2016-9555)
+  * sg_write()/bsg_write() is not fit to be called under KERNEL_DS
+    (CVE-2016-9576)
 
   [ Julien Cristau ]
   * hwrng: Add chaoskey driver, backported from 4.8 (Closes: #839616)
diff --git a/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch b/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
new file mode 100644
index 0000000..a1891df
--- /dev/null
+++ b/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
@@ -0,0 +1,42 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Fri, 16 Dec 2016 13:42:06 -0500
+Subject: sg_write()/bsg_write() is not fit to be called under KERNEL_DS
+Origin: https://git.kernel.org/linus/128394eff343fc6d2f32172f03e24829539c5835
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9576
+
+Both damn things interpret userland pointers embedded into the payload;
+worse, they are actually traversing those.  Leaving aside the bad
+API design, this is very much _not_ safe to call with KERNEL_DS.
+Bail out early if that happens.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ block/bsg.c       | 3 +++
+ drivers/scsi/sg.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/block/bsg.c
++++ b/block/bsg.c
+@@ -676,6 +676,9 @@ bsg_write(struct file *file, const char
+ 
+ 	dprintk("%s: write %Zd bytes\n", bd->name, count);
+ 
++	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
++		return -EINVAL;
++
+ 	bsg_set_block(bd, file);
+ 
+ 	bytes_written = 0;
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -568,6 +568,9 @@ sg_write(struct file *filp, const char _
+ 	sg_io_hdr_t *hp;
+ 	unsigned char cmnd[MAX_COMMAND_SIZE];
+ 
++	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
++		return -EINVAL;
++
+ 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
+ 		return -ENXIO;
+ 	SCSI_LOG_TIMEOUT(3, printk("sg_write: %s, count=%d\n",
diff --git a/debian/patches/series b/debian/patches/series
index a29954f..c2ff3d1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -672,6 +672,7 @@ bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch
 bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
 bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
 bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
+bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

