It was reported that in vhost_scsi_make_tpg() the limit for "tpgt" is UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16. In the context it turns out that in vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements, so anything higher than 255 then is invalid. Attached patch corrects this. In vhost_scsi_send_evt() the values higher than 255 are masked, but now that the limit has changed, the mask is not needed. Upstream fix: http://www.spinics.net/lists/linux-scsi/msg82650.html Discussion: http://www.openwall.com/lists/oss-security/2015/05/13/4
Created attachment 988570 [details] kernel_vhost_scsi.patch
Statement: Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 and 7, and Red Hat Enterprise MRG as they do not have CONFIG_VHOST_SCSI directive enabled in the build configuration.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1192079]
References: http://www.spinics.net/lists/linux-scsi/msg82650.html
kernel-3.18.8-201.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.18.9-100.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.