[linux] 01/01: sg_write()/bsg_write() is not fit to be called under KERNEL_DS (CVE-2016-10088)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Dec 31 19:36:12 UTC 2016
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit e7ccf65ec6565d68026cf1b3699538132c4c8dec
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Sat Dec 31 20:20:45 2016 +0100
sg_write()/bsg_write() is not fit to be called under KERNEL_DS (CVE-2016-10088)
---
debian/changelog | 5 +++
...g_write-is-not-fit-to-be-called-under-KER.patch | 48 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 54 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 0471cdb..92d3c4d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,16 @@
linux (4.8.15-2) UNRELEASED; urgency=medium
+ [ Ben Hutchings ]
* [x86] Enable INTEL_VBTN as module (Closes: #848967)
* debian/control: Change build-dependency on asciidoc to prefer the new
asciidoc-base, so we don't pull in LaTeX unnecessarily
* [x86] Enable LEDS_DELL_NETBOOKS and DELL_SMBIOS as modules; re-enable
DELL_LAPTOP and DELL_WMI as modules (Closes: #849674)
+ [ Salvatore Bonaccorso ]
+ * sg_write()/bsg_write() is not fit to be called under KERNEL_DS
+ (CVE-2016-10088)
+
-- Ben Hutchings <ben at decadent.org.uk> Tue, 27 Dec 2016 09:05:58 +0000
linux (4.8.15-1) unstable; urgency=medium
diff --git a/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-KER.patch b/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-KER.patch
new file mode 100644
index 0000000..1fe1532
--- /dev/null
+++ b/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-KER.patch
@@ -0,0 +1,48 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Fri, 16 Dec 2016 13:42:06 -0500
+Subject: sg_write()/bsg_write() is not fit to be called under KERNEL_DS
+Origin: https://git.kernel.org/linus/128394eff343fc6d2f32172f03e24829539c5835
+
+Both damn things interpret userland pointers embedded into the payload;
+worse, they are actually traversing those. Leaving aside the bad
+API design, this is very much _not_ safe to call with KERNEL_DS.
+Bail out early if that happens.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ block/bsg.c | 3 +++
+ drivers/scsi/sg.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/block/bsg.c b/block/bsg.c
+index 8a05a404ae70..a57046de2f07 100644
+--- a/block/bsg.c
++++ b/block/bsg.c
+@@ -655,6 +655,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
+
+ dprintk("%s: write %Zd bytes\n", bd->name, count);
+
++ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
++ return -EINVAL;
++
+ bsg_set_block(bd, file);
+
+ bytes_written = 0;
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 070332eb41f3..dbe5b4b95df0 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -581,6 +581,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
+ sg_io_hdr_t *hp;
+ unsigned char cmnd[SG_MAX_CDB_SIZE];
+
++ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
++ return -EINVAL;
++
+ if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
+ return -ENXIO;
+ SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 44ae1cc..a018747 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -104,6 +104,7 @@ bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch
bugfix/all/mnt-Add-a-per-mount-namespace-limit-on-the-number-of.patch
bugfix/all/net-handle-no-dst-on-skb-in-icmp6_send.patch
bugfix/all/netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
+bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-KER.patch
# ABI maintenance
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list