cve/published/2021/CVE-2021-47337.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47337: scsi: core: Fix bad pointer dereference when ehandler kthread is invalid

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: core: Fix bad pointer dereference when ehandler kthread is invalid

 Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()")
 changed the allocation logic to call put_device() to perform host cleanup
 with the assumption that IDA removal and stopping the kthread would
 properly be performed in scsi_host_dev_release(). However, in the unlikely
 case that the error handler thread fails to spawn, shost->ehandler is set
 to ERR_PTR(-ENOMEM).

 The error handler cleanup code in scsi_host_dev_release() will call
 kthread_stop() if shost->ehandler != NULL which will always be the case
 whether the kthread was successfully spawned or not. In the case that it
 failed to spawn this has the nasty side effect of trying to dereference an
 invalid pointer when kthread_stop() is called. The following splat provides
 an example of this behavior in the wild:

 scsi host11: error handler thread failed to spawn, error = -4
 Kernel attempted to read user page (10c) - exploit attempt? (uid: 0)
 BUG: Kernel NULL pointer dereference on read at 0x0000010c
 Faulting instruction address: 0xc00000000818e9a8
 Oops: Kernel access of bad area, sig: 11 [#1]
 LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
 Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region
  hash dm_log dm_mod fuse overlay squashfs loop
 CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1
 NIP:  c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8
 REGS: c000000037d12ea0 TRAP: 0300   Not tainted  (5.13.0-rc7)
 MSR:  800000000280b033 &lt;SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE&gt;  CR: 28228228
 XER: 20040001
 CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0
 GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc
 GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000
 GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff
 GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0
 GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288
 GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898
 GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000
 GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc
 NIP [c00000000818e9a8] kthread_stop+0x38/0x230
 LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160
 Call Trace:
 [c000000033bb2c48] 0xc000000033bb2c48 (unreliable)
 [c0000000089846e8] scsi_host_dev_release+0x98/0x160
 [c00000000891e960] device_release+0x60/0x100
 [c0000000087e55c4] kobject_release+0x84/0x210
 [c00000000891ec78] put_device+0x28/0x40
 [c000000008984ea4] scsi_host_alloc+0x314/0x430
 [c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi]
 [c000000008110104] vio_bus_probe+0xa4/0x4b0
 [c00000000892a860] really_probe+0x140/0x680
 [c00000000892aefc] driver_probe_device+0x15c/0x200
 [c00000000892b63c] device_driver_attach+0xcc/0xe0
 [c00000000892b740] __driver_attach+0xf0/0x200
 [c000000008926f28] bus_for_each_dev+0xa8/0x130
 [c000000008929ce4] driver_attach+0x34/0x50
 [c000000008928fc0] bus_add_driver+0x1b0/0x300
 [c00000000892c798] driver_register+0x98/0x1a0
 [c00000000810eb60] __vio_register_driver+0x80/0xe0
 [c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi]
 [c0000000080121d0] do_one_initcall+0x60/0x2d0
 [c000000008261abc] do_init_module+0x7c/0x320
 [c000000008265700] load_module+0x2350/0x25b0
 [c000000008265cb4] __do_sys_finit_module+0xd4/0x160
 [c000000008031110] system_call_exception+0x150/0x2d0
 [c00000000800d35c] system_call_common+0xec/0x278

 Fix this be nulling shost->ehandler when the kthread fails to spawn.

 The Linux kernel CVE team has assigned CVE-2021-47337 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.9.273 with commit 8958181c1663e24a13434448e7d6b96b5d04900a and fixed in 4.9.276 with commit d2f0b960d07e52bb664471b4de0ed8b08c636b3a
 	Issue introduced in 4.14.237 with commit db08ce595dd64ea9859f7d088b51cbfc8e685c66 and fixed in 4.14.240 with commit f3d0a109240c9bed5c60d819014786be3a2fe515
 	Issue introduced in 4.19.195 with commit 2dc85045ae65b9302a1d2e2ddd7ce4c030153a6a and fixed in 4.19.198 with commit e1bd3fac2baa3d5c04375980c1d5263a3335af92
 	Issue introduced in 5.4.126 with commit 79296e292d67fa7b5fb8d8c27343683e823872c8 and fixed in 5.4.134 with commit 887bfae2732b5b02a86a859fd239d34f7ff93c05
 	Issue introduced in 5.10.44 with commit 7a696ce1d5d16a33a6cd6400bbcc0339b2460e11 and fixed in 5.10.52 with commit ea518b70ed5e4598c8d706f37fc16f7b06e440bd
 	Issue introduced in 5.12.11 with commit 45d83db4728127944b237c0c8248987df9d478e7 and fixed in 5.12.19 with commit 8e4212ecf0713dd57d0e3209a66201da582149b1
 	Issue introduced in 5.13 with commit 66a834d092930cf41d809c0e989b13cd6f9ca006 and fixed in 5.13.4 with commit c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691
 	Issue introduced in 5.13 with commit 66a834d092930cf41d809c0e989b13cd6f9ca006 and fixed in 5.14 with commit 93aa71ad7379900e61c8adff6a710a4c18c7c99b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47337
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/hosts.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d2f0b960d07e52bb664471b4de0ed8b08c636b3a
 	https://git.kernel.org/stable/c/f3d0a109240c9bed5c60d819014786be3a2fe515
 	https://git.kernel.org/stable/c/e1bd3fac2baa3d5c04375980c1d5263a3335af92
 	https://git.kernel.org/stable/c/887bfae2732b5b02a86a859fd239d34f7ff93c05
 	https://git.kernel.org/stable/c/ea518b70ed5e4598c8d706f37fc16f7b06e440bd
 	https://git.kernel.org/stable/c/8e4212ecf0713dd57d0e3209a66201da582149b1
 	https://git.kernel.org/stable/c/c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691
 	https://git.kernel.org/stable/c/93aa71ad7379900e61c8adff6a710a4c18c7c99b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47337: scsi: core: Fix bad pointer dereference when ehandler kthread is invalid

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: core: Fix bad pointer dereference when ehandler kthread is invalid

	Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()")
	changed the allocation logic to call put_device() to perform host cleanup
	with the assumption that IDA removal and stopping the kthread would
	properly be performed in scsi_host_dev_release(). However, in the unlikely
	case that the error handler thread fails to spawn, shost->ehandler is set
	to ERR_PTR(-ENOMEM).

	The error handler cleanup code in scsi_host_dev_release() will call
	kthread_stop() if shost->ehandler != NULL which will always be the case
	whether the kthread was successfully spawned or not. In the case that it
	failed to spawn this has the nasty side effect of trying to dereference an
	invalid pointer when kthread_stop() is called. The following splat provides
	an example of this behavior in the wild:

	scsi host11: error handler thread failed to spawn, error = -4
	Kernel attempted to read user page (10c) - exploit attempt? (uid: 0)
	BUG: Kernel NULL pointer dereference on read at 0x0000010c
	Faulting instruction address: 0xc00000000818e9a8
	Oops: Kernel access of bad area, sig: 11 [#1]
	LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
	Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region
	hash dm_log dm_mod fuse overlay squashfs loop
	CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1
	NIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8
	REGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7)
	MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28228228
	XER: 20040001
	CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0
	GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc
	GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000
	GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff
	GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0
	GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288
	GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898
	GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000
	GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc
	NIP [c00000000818e9a8] kthread_stop+0x38/0x230
	LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160
	Call Trace:
	[c000000033bb2c48] 0xc000000033bb2c48 (unreliable)
	[c0000000089846e8] scsi_host_dev_release+0x98/0x160
	[c00000000891e960] device_release+0x60/0x100
	[c0000000087e55c4] kobject_release+0x84/0x210
	[c00000000891ec78] put_device+0x28/0x40
	[c000000008984ea4] scsi_host_alloc+0x314/0x430
	[c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi]
	[c000000008110104] vio_bus_probe+0xa4/0x4b0
	[c00000000892a860] really_probe+0x140/0x680
	[c00000000892aefc] driver_probe_device+0x15c/0x200
	[c00000000892b63c] device_driver_attach+0xcc/0xe0
	[c00000000892b740] __driver_attach+0xf0/0x200
	[c000000008926f28] bus_for_each_dev+0xa8/0x130
	[c000000008929ce4] driver_attach+0x34/0x50
	[c000000008928fc0] bus_add_driver+0x1b0/0x300
	[c00000000892c798] driver_register+0x98/0x1a0
	[c00000000810eb60] __vio_register_driver+0x80/0xe0
	[c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi]
	[c0000000080121d0] do_one_initcall+0x60/0x2d0
	[c000000008261abc] do_init_module+0x7c/0x320
	[c000000008265700] load_module+0x2350/0x25b0
	[c000000008265cb4] __do_sys_finit_module+0xd4/0x160
	[c000000008031110] system_call_exception+0x150/0x2d0
	[c00000000800d35c] system_call_common+0xec/0x278

	Fix this be nulling shost->ehandler when the kthread fails to spawn.

	The Linux kernel CVE team has assigned CVE-2021-47337 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.9.273 with commit 8958181c1663e24a13434448e7d6b96b5d04900a and fixed in 4.9.276 with commit d2f0b960d07e52bb664471b4de0ed8b08c636b3a
	Issue introduced in 4.14.237 with commit db08ce595dd64ea9859f7d088b51cbfc8e685c66 and fixed in 4.14.240 with commit f3d0a109240c9bed5c60d819014786be3a2fe515
	Issue introduced in 4.19.195 with commit 2dc85045ae65b9302a1d2e2ddd7ce4c030153a6a and fixed in 4.19.198 with commit e1bd3fac2baa3d5c04375980c1d5263a3335af92
	Issue introduced in 5.4.126 with commit 79296e292d67fa7b5fb8d8c27343683e823872c8 and fixed in 5.4.134 with commit 887bfae2732b5b02a86a859fd239d34f7ff93c05
	Issue introduced in 5.10.44 with commit 7a696ce1d5d16a33a6cd6400bbcc0339b2460e11 and fixed in 5.10.52 with commit ea518b70ed5e4598c8d706f37fc16f7b06e440bd
	Issue introduced in 5.12.11 with commit 45d83db4728127944b237c0c8248987df9d478e7 and fixed in 5.12.19 with commit 8e4212ecf0713dd57d0e3209a66201da582149b1
	Issue introduced in 5.13 with commit 66a834d092930cf41d809c0e989b13cd6f9ca006 and fixed in 5.13.4 with commit c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691
	Issue introduced in 5.13 with commit 66a834d092930cf41d809c0e989b13cd6f9ca006 and fixed in 5.14 with commit 93aa71ad7379900e61c8adff6a710a4c18c7c99b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47337
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/hosts.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d2f0b960d07e52bb664471b4de0ed8b08c636b3a
	https://git.kernel.org/stable/c/f3d0a109240c9bed5c60d819014786be3a2fe515
	https://git.kernel.org/stable/c/e1bd3fac2baa3d5c04375980c1d5263a3335af92
	https://git.kernel.org/stable/c/887bfae2732b5b02a86a859fd239d34f7ff93c05
	https://git.kernel.org/stable/c/ea518b70ed5e4598c8d706f37fc16f7b06e440bd
	https://git.kernel.org/stable/c/8e4212ecf0713dd57d0e3209a66201da582149b1
	https://git.kernel.org/stable/c/c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691
	https://git.kernel.org/stable/c/93aa71ad7379900e61c8adff6a710a4c18c7c99b