From: Greg Kroah-Hartman Date: Tue, 10 Jul 2018 11:14:13 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.115~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d7ad942f13cbc8173e9d2f6b9b6a2477d3a24e14;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: scsi-sg-mitigate-read-write-abuse.patch --- diff --git a/queue-3.18/scsi-sg-mitigate-read-write-abuse.patch b/queue-3.18/scsi-sg-mitigate-read-write-abuse.patch new file mode 100644 index 00000000000..5bcd75ae5a8 --- /dev/null +++ b/queue-3.18/scsi-sg-mitigate-read-write-abuse.patch @@ -0,0 +1,111 @@ +From 26b5b874aff5659a7e26e5b1997e3df2c41fa7fd Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 25 Jun 2018 16:25:44 +0200 +Subject: scsi: sg: mitigate read/write abuse + +From: Jann Horn + +commit 26b5b874aff5659a7e26e5b1997e3df2c41fa7fd upstream. + +As Al Viro noted in commit 128394eff343 ("sg_write()/bsg_write() is not fit +to be called under KERNEL_DS"), sg improperly accesses userspace memory +outside the provided buffer, permitting kernel memory corruption via +splice(). But it doesn't just do it on ->write(), also on ->read(). + +As a band-aid, make sure that the ->read() and ->write() handlers can not +be called in weird contexts (kernel context or credentials different from +file opener), like for ib_safe_file_access(). + +If someone needs to use these interfaces from different security contexts, +a new interface should be written that goes through the ->ioctl() handler. + +I've mostly copypasted ib_safe_file_access() over as sg_safe_file_access() +because I couldn't find a good common header - please tell me if you know a +better way. + +[mkp: s/_safe_/_check_/] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: +Signed-off-by: Jann Horn +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 42 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 40 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -52,6 +52,7 @@ static int sg_version_num = 30536; /* 2 + #include + #include + #include ++#include /* for sg_check_file_access() */ + + #include "scsi.h" + #include +@@ -222,6 +223,33 @@ static void sg_device_destroy(struct kre + sdev_printk(prefix, (sdp)->device, "[%s] " fmt, \ + (sdp)->disk->disk_name, ##a) + ++/* ++ * The SCSI interfaces that use read() and write() as an asynchronous variant of ++ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways ++ * to trigger read() and write() calls from various contexts with elevated ++ * privileges. This can lead to kernel memory corruption (e.g. if these ++ * interfaces are called through splice()) and privilege escalation inside ++ * userspace (e.g. if a process with access to such a device passes a file ++ * descriptor to a SUID binary as stdin/stdout/stderr). ++ * ++ * This function provides protection for the legacy API by restricting the ++ * calling context. ++ */ ++static int sg_check_file_access(struct file *filp, const char *caller) ++{ ++ if (filp->f_cred != current_real_cred()) { ++ pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n", ++ caller, task_tgid_vnr(current), current->comm); ++ return -EPERM; ++ } ++ if (unlikely(segment_eq(get_fs(), KERNEL_DS))) { ++ pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n", ++ caller, task_tgid_vnr(current), current->comm); ++ return -EACCES; ++ } ++ return 0; ++} ++ + static int sg_allow_access(struct file *filp, unsigned char *cmd) + { + struct sg_fd *sfp = filp->private_data; +@@ -406,6 +434,14 @@ sg_read(struct file *filp, char __user * + struct sg_header *old_hdr = NULL; + int retval = 0; + ++ /* ++ * This could cause a response to be stranded. Close the associated ++ * file descriptor to free up any resources being held. ++ */ ++ retval = sg_check_file_access(filp, __func__); ++ if (retval) ++ return retval; ++ + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; + SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, +@@ -593,9 +629,11 @@ sg_write(struct file *filp, const char _ + struct sg_header old_hdr; + sg_io_hdr_t *hp; + unsigned char cmnd[SG_MAX_CDB_SIZE]; ++ int retval; + +- if (unlikely(segment_eq(get_fs(), KERNEL_DS))) +- return -EINVAL; ++ retval = sg_check_file_access(filp, __func__); ++ if (retval) ++ return retval; + + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; diff --git a/queue-3.18/series b/queue-3.18/series index cdd72b30034..d7adbe76058 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -6,3 +6,4 @@ netfilter-ebtables-handle-string-from-userspace-with-care.patch atm-zatm-fix-memcmp-casting.patch net-qmi_wwan-add-netgear-aircard-779s.patch net-sonic-use-dma_mapping_error.patch +scsi-sg-mitigate-read-write-abuse.patch diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..ebe1e788ada --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,4 @@ +userfaultfd-hugetlbfs-fix-userfaultfd_huge_must_wait-pte-access.patch +mm-hugetlb-yield-when-prepping-struct-pages.patch +tracing-fix-missing-return-symbol-in-function_graph-output.patch +scsi-sg-mitigate-read-write-abuse.patch diff --git a/queue-4.17/series b/queue-4.17/series new file mode 100644 index 00000000000..dc7e0973638 --- /dev/null +++ b/queue-4.17/series @@ -0,0 +1,10 @@ +userfaultfd-hugetlbfs-fix-userfaultfd_huge_must_wait-pte-access.patch +mm-hugetlb-yield-when-prepping-struct-pages.patch +mm-teach-dump_page-to-correctly-output-poisoned-struct-pages.patch +pci-acpi-pm-resume-bridges-w-o-drivers-on-suspend-to-ram.patch +acpica-drop-leading-newlines-from-error-messages.patch +acpi-battery-safe-unregistering-of-hooks.patch +drm-amdgpu-make-struct-amdgpu_atif-private-to-amdgpu_acpi.c.patch +tracing-avoid-string-overflow.patch +tracing-fix-missing-return-symbol-in-function_graph-output.patch +scsi-sg-mitigate-read-write-abuse.patch