A flaw exists in the kernels configfs interface to manipulate or control the vhost scsi subsection. Unchecked directory names in configfs may unintentionally corrupt memory or panic the system.
It was reported that in vhost_scsi_make_tpg() the limit for "tpgt" is UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.
In the context it turns out that in vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into the vs_tpg array which has VHOST_SCSI_MAX_TARGET (256) elements, so anything higher than 255 then is invalid. Attached patch corrects this.
In vhost_scsi_send_evt() the values higher than 255 are masked, but now that the limit has changed, the mask is not needed.
Created attachment 988570 [details]
Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 and 7, and Red Hat Enterprise MRG as they do not have CONFIG_VHOST_SCSI directive enabled in the build configuration.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1192079]
kernel-3.18.8-201.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.18.9-100.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.