cve/published/2021/CVE-2021-47182.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47182: scsi: core: Fix scsi_mode_sense() buffer length handling

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: core: Fix scsi_mode_sense() buffer length handling

 Several problems exist with scsi_mode_sense() buffer length handling:

  1) The allocation length field of the MODE SENSE(10) command is 16-bits,
     occupying bytes 7 and 8 of the CDB. With this command, access to mode
     pages larger than 255 bytes is thus possible. However, the CDB
     allocation length field is set by assigning len to byte 8 only, thus
     truncating buffer length larger than 255.

  2) If scsi_mode_sense() is called with len smaller than 8 with
     sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length
     is increased to 8 and 4 respectively, and the buffer is zero filled
     with these increased values, thus corrupting the memory following the
     buffer.

 Fix these 2 problems by using put_unaligned_be16() to set the allocation
 length field of MODE SENSE(10) CDB and by returning an error when len is
 too small.

 Furthermore, if len is larger than 255B, always try MODE SENSE(10) first,
 even if the device driver did not set sdev->use_10_for_ms. In case of
 invalid opcode error for MODE SENSE(10), access to mode pages larger than
 255 bytes are not retried using MODE SENSE(6). To avoid buffer length
 overflows for the MODE_SENSE(10) case, check that len is smaller than 65535
 bytes.

 While at it, also fix the folowing:

  * Use get_unaligned_be16() to retrieve the mode data length and block
    descriptor length fields of the mode sense reply header instead of using
    an open coded calculation.

  * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable
    Block Descriptor, which is the opposite of what the dbd argument
    description was.

 The Linux kernel CVE team has assigned CVE-2021-47182 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.15.5 with commit e15de347faf4a9f494cbd4e9a623d343dc1b5851
 	Fixed in 5.16 with commit 17b49bcbf8351d3dbe57204468ac34f033ed60bc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47182
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/scsi_lib.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851
 	https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47182: scsi: core: Fix scsi_mode_sense() buffer length handling

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: core: Fix scsi_mode_sense() buffer length handling

	Several problems exist with scsi_mode_sense() buffer length handling:

	1) The allocation length field of the MODE SENSE(10) command is 16-bits,
	occupying bytes 7 and 8 of the CDB. With this command, access to mode
	pages larger than 255 bytes is thus possible. However, the CDB
	allocation length field is set by assigning len to byte 8 only, thus
	truncating buffer length larger than 255.

	2) If scsi_mode_sense() is called with len smaller than 8 with
	sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length
	is increased to 8 and 4 respectively, and the buffer is zero filled
	with these increased values, thus corrupting the memory following the
	buffer.

	Fix these 2 problems by using put_unaligned_be16() to set the allocation
	length field of MODE SENSE(10) CDB and by returning an error when len is
	too small.

	Furthermore, if len is larger than 255B, always try MODE SENSE(10) first,
	even if the device driver did not set sdev->use_10_for_ms. In case of
	invalid opcode error for MODE SENSE(10), access to mode pages larger than
	255 bytes are not retried using MODE SENSE(6). To avoid buffer length
	overflows for the MODE_SENSE(10) case, check that len is smaller than 65535
	bytes.

	While at it, also fix the folowing:

	* Use get_unaligned_be16() to retrieve the mode data length and block
	descriptor length fields of the mode sense reply header instead of using
	an open coded calculation.

	* Fix the kdoc dbd argument explanation: the DBD bit stands for Disable
	Block Descriptor, which is the opposite of what the dbd argument
	description was.

	The Linux kernel CVE team has assigned CVE-2021-47182 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.15.5 with commit e15de347faf4a9f494cbd4e9a623d343dc1b5851
	Fixed in 5.16 with commit 17b49bcbf8351d3dbe57204468ac34f033ed60bc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47182
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/scsi_lib.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851
	https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc