From patchwork Thu Mar 11 02:36:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1450936 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DwtPN2PBbz9sWX; Thu, 11 Mar 2021 13:36:39 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lKBBe-0002op-U6; Thu, 11 Mar 2021 02:36:30 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lKBBd-0002oj-S8 for kernel-team@lists.ubuntu.com; Thu, 11 Mar 2021 02:36:29 +0000 Received: from [179.93.213.27] (helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lKBBd-0006oa-5o for kernel-team@lists.ubuntu.com; Thu, 11 Mar 2021 02:36:29 +0000 From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Hirsute, Focal/linux-oem-5.10, Groovy, Focal/linux-oem-5.6, Focal, Bionic 0/4] CVE-2021-27363, CVE-2021-27364, CVE-2021-27365 Date: Wed, 10 Mar 2021 23:36:12 -0300 Message-Id: <20210311023621.1152868-1-cascardo@canonical.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] Unprivileged users can use the iscsi_transport handle to leak kernel address, create/close iscsi sessions, and write out of bonds when reading sysfs iscsi attributes. [Fix/Backport] 3 commits fix the problem, minimal backporting was needed because of missing commit 82b8cf40bfe1, but the commit that introduces sysfs_emit was needed from 4.15 to 5.8, and needed some context adjustment on 4.15 because of missing *change_owner functions. [Test case] Leaking the address by reading /sys/class/iscsi_transport/tcp/handle was not possible anymore. Also, creating a session also failed, and even as root, setting a name larger than PAGE_SIZE failed. [Potential regression] iscsi users could fail to operate as unprivileged users. Chris Leech (2): scsi: iscsi: Verify lengths on passthrough PDUs scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE Joe Perches (1): sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output Lee Duncan (1): scsi: iscsi: Restrict sessions and handles to admin capabilities Documentation/filesystems/sysfs.txt | 8 +- drivers/scsi/libiscsi.c | 148 ++++++++++++++-------------- drivers/scsi/scsi_transport_iscsi.c | 39 ++++++-- fs/sysfs/file.c | 55 +++++++++++ include/linux/sysfs.h | 16 +++ 5 files changed, 178 insertions(+), 88 deletions(-) Acked-by: Stefan Bader Acked-by: Tim Gardner