Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1189864 - (CVE-2015-4036) CVE-2015-4036 kernel: potential memory corruption (denial of service) in vhost/scsi driver
CVE-2015-4036 kernel: potential memory corruption (denial of service) in vhos...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150205,repor...
: Security
Depends On: 1192079
Blocks: 1189866
  Show dependency treegraph
 
Reported: 2015-02-05 11:44 EST by Vasyl Kaigorodov
Modified: 2015-05-29 08:41 EDT (History)
32 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw exists in the kernels configfs interface to manipulate or control the vhost scsi subsection. Unchecked directory names in configfs may unintentionally corrupt memory or panic the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-29 08:41:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
kernel_vhost_scsi.patch (1.01 KB, text/plain)
2015-02-05 11:44 EST, Vasyl Kaigorodov 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vasyl Kaigorodov 2015-02-05 11:44:00 EST 
It was reported that in vhost_scsi_make_tpg() the limit for "tpgt" is UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.

In the context it turns out that in vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements, so anything higher than 255 then is invalid. Attached patch corrects this.
In vhost_scsi_send_evt() the values higher than 255 are masked, but now that the limit has changed, the mask is not needed.

Upstream fix:
http://www.spinics.net/lists/linux-scsi/msg82650.html

Discussion:
http://www.openwall.com/lists/oss-security/2015/05/13/4
Comment 1 Vasyl Kaigorodov 2015-02-05 11:44:56 EST 
Created attachment 988570 [details]
kernel_vhost_scsi.patch
Comment 2 Vasyl Kaigorodov 2015-02-12 10:21:21 EST 
Statement:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 and 7, and Red Hat Enterprise MRG as they do not have CONFIG_VHOST_SCSI directive enabled in the build configuration.
Comment 3 Vasyl Kaigorodov 2015-02-12 10:22:14 EST 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1192079]
Comment 5 Petr Matousek 2015-02-20 09:02:40 EST 
References:

http://www.spinics.net/lists/linux-scsi/msg82650.html
Comment 6 Fedora Update System 2015-03-09 04:17:21 EDT 
kernel-3.18.8-201.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-03-14 05:15:30 EDT 
kernel-3.18.9-100.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.