Re: Linux kernel: information disclosure in stex_queuecommand_lck

[Xingyuan Mo <hdthky0 () gmail com>]

CVE-2022-40768 has been assigned to this issue.

Thanks,
Xingyuan Mo

On Fri, Sep 9, 2022 at 12:52 PM Xingyuan Mo <hdthky0 () gmail com> wrote:
> Hello,
>
> We found an information disclosure vulnerability in stex_queuecommand_lck() in
> drivers/scsi/stex.c through linux v6.0-rc4 which allows an attacker to disclose
> sensitive information such as kernel space address.
>
> This issue can be fixed with the following patch:
> https://lore.kernel.org/all/20220908145154.2284098-1-gregkh () linuxfoundation org/
>
> =*=*=*=*=*=*=*=*=  Bug Details  =*=*=*=*=*=*=*=*=
>
> In drivers/scsi/stex.c:
>  666:  case PASSTHRU_CMD:
>  667:    if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {
>  668:      struct st_drvver ver;
>  669:      size_t cp_len = sizeof(ver);
>  670:
>  671:      ver.major = ST_VER_MAJOR;
>  672:      ver.minor = ST_VER_MINOR;
>  673:      ver.oem = ST_OEM;
>  674:      ver.build = ST_BUILD_VER;
>  675:      ver.signature[0] = PASSTHRU_SIGNATURE;
>  676:      ver.console_id = host->max_id - 1;
>  677:      ver.host_no = hba->host->host_no;
>  678:      cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);
>  679:      if (sizeof(ver) == cp_len)
>  680:        cmd->result = DID_OK << 16;
>  681:      else
>  682:        cmd->result = DID_ERROR << 16;
>  683:      done(cmd);
>  684:      return 0;
>  685:    }
>  686:    break;
>
> The variable ver is declared off of the stack, but not zeroed out before copied
> back to user space, resulting in sensitive information disclosure.
>
> =*=*=*=*=*=*=*=*=  Timeline  =*=*=*=*=*=*=*=*=
>
> 2022-09-08: bug reported
> 2022-09-08: patch released
>
> =*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=
>
> Xingyuan Mo (@hdthky) and Gengjia Chen (@chengjia4574) of IceSword Lab, 360
>
>
> Best Regards,
> Xingyuan Mo