Bug 1189864 (CVE-2015-4036)

Summary: CVE-2015-4036 kernel: potential memory corruption (denial of service) in vhost/scsi driver
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, arm-mgr, bhu, blc, ccoleman, dhoward, dmcphers, esammons, fhrbata, iboverma, jialiu, joelsmith, jokerman, jross, kernel-mgr, kseifried, lmeyer, lwang, matt, mcressma, mguzik, mlangsdo, mmccomas, nmurray, pholasek, plougher, pmatouse, rvrbovsk, security-response-team, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw exists in the kernels configfs interface to manipulate or control the vhost scsi subsection. Unchecked directory names in configfs may unintentionally corrupt memory or panic the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-29 12:41:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1192079    
Bug Blocks: 1189866    
Attachments:
Description Flags
kernel_vhost_scsi.patch none

Description Vasyl Kaigorodov 2015-02-05 16:44:00 UTC 
It was reported that in vhost_scsi_make_tpg() the limit for "tpgt" is UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.

In the context it turns out that in vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements, so anything higher than 255 then is invalid. Attached patch corrects this.
In vhost_scsi_send_evt() the values higher than 255 are masked, but now that the limit has changed, the mask is not needed.

Upstream fix:
http://www.spinics.net/lists/linux-scsi/msg82650.html

Discussion:
http://www.openwall.com/lists/oss-security/2015/05/13/4
Comment 1 Vasyl Kaigorodov 2015-02-05 16:44:56 UTC 
Created attachment 988570 [details]
kernel_vhost_scsi.patch
Comment 2 Vasyl Kaigorodov 2015-02-12 15:21:21 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 and 7, and Red Hat Enterprise MRG as they do not have CONFIG_VHOST_SCSI directive enabled in the build configuration.
Comment 3 Vasyl Kaigorodov 2015-02-12 15:22:14 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1192079]
Comment 5 Petr Matousek 2015-02-20 14:02:40 UTC 
References:

http://www.spinics.net/lists/linux-scsi/msg82650.html
Comment 6 Fedora Update System 2015-03-09 08:17:21 UTC 
kernel-3.18.8-201.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-03-14 09:15:30 UTC 
kernel-3.18.9-100.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.