oss-sec mailing list archives
Re: CVE request for vhost/scsi possible memory corruption.
From: cve-assign () mitre org
Date: Thu, 21 May 2015 11:31:31 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=59c816c1f24df0204e01851431d3bab3eb76719c -- vhost/scsi: potential memory corruption This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt" to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16. I looked at the context and it turns out that in vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so anything higher than 255 then it is invalid. I have made that the limit now. In vhost_scsi_send_evt() we mask away values higher than 255, but now that the limit has changed, we don't need the mask. -- The first check that slips past is here: -- drivers/vhost/scsi.c - vhost_scsi_make_tpg() if (vs->vs_tpg && vs->vs_tpg[tpg->tport_tpgt]) My theory is that the possible memory corruption happens later: -- drivers/vhost/scsi.c - vhost_scsi_make_tpg() // sets this null pointer, to "tpg" value. vs_tpg[tpg->tport_tpgt] = tpg; When vs_tpg[tpg->tport_tpgt] = 0
Nobody else has offered an alternative theory or shown that it is unexploitable, so probably a CVE ID is reasonable. Use CVE-2015-4036. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVXfnpAAoJEKllVAevmvmsJSkH+wQyE2BCazl50a+4lscyN/S/ mLdpNddqLuaCPEWOwFcp8UX2M/d5Uyj4zl42bsfFOy0HA6zBmUAzjeg9Ea3b8gQp ix4guXREeWkmaw+IT5uyG8dCSujMSTzvdDKvXoCh2jcyvdSXXb4xcHIlsmppgn8M 8hVRXoAuEt8yrbtjzXA99pB6gYJeKTOsZFPx0Fwy2aeCO/tCVUoZF+KlUGxokvWL wRhl9JBdKxmqzMgZcuDUdgZ9s9TGpFIChVOKvDHdw52pL8eXMEqzD1JV2NbQGG3C Xa/LmM2wCE/eqnYT7QSlzEjh2e1titJkNUc+wVNj4Refj/k1HXCCQdVZNOWnbh8= =voYF -----END PGP SIGNATURE-----
Current thread:
- CVE request for vhost/scsi possible memory corruption. Wade Mealing (May 13)
- Re: CVE request for vhost/scsi possible memory corruption. cve-assign (May 21)