From patchwork Wed Jul 11 15:45:25 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 942586
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41Qk1H1sB2zB4MR;
	Thu, 12 Jul 2018 01:45:39 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1fdHJ7-0002jJ-Cr; Wed, 11 Jul 2018 15:45:33 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1fdHJ5-0002j7-CP
	for kernel-team@lists.ubuntu.com; Wed, 11 Jul 2018 15:45:31 +0000
Received: from mail-wm0-f70.google.com ([74.125.82.70])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1fdHJ5-0002kF-56
	for kernel-team@lists.ubuntu.com; Wed, 11 Jul 2018 15:45:31 +0000
Received: by mail-wm0-f70.google.com with SMTP id w137-v6so2164275wme.2
	for <kernel-team@lists.ubuntu.com>;
	Wed, 11 Jul 2018 08:45:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=Gvs1isujqLK2hByr3VkmlEOiswLo3IZeq81CRSncacE=;
	b=Ihlh8pvCrCwDKujJMz3rYT7sIJeZqDv2AD4EFhNY5ivMn4fY8nJvkAMYu890knl2Fe
	T98QikdMF29sBDYQZe4VYd+2U3FXndpsKDqkyirZImF/OeDqz9gCtd2eKrDxDc74t7uB
	MqmTYF2n7whctbvhCt4w/sh4Fcm3s/5ciXo092vYOposZz5ZwbFyBan9AOYk144vI7xi
	RMQxNj6H28fzLPk8Bz5dk2D8wu9etoDVh/LmoVj+llNl6nBMMYb2EWk5H3T9YbWWRN0Y
	j5uSAnb2T+lCtDaAu/mdsF0J2kt4uxYmbwBF4RZY7/huzyFIXRS68AkSJfifRiGlP6A7
	dtJA==
X-Gm-Message-State: AOUpUlFnxAMb49xqlCdqkUdk0akSuk19ogKq7tCx9rCPtknzxtJApI6m
	+MNU7LFu8rUF+aWhtb9Y5NTYY4YC/jCoJGg5tfxGD1an+HoIBSeZ4kzPmfTZ4kzCwRDRygoEhtr
	min1bxgElwCCLX472VLgrkztsERYwbblqI62l14NvfA==
X-Received: by 2002:a1c:91c7:: with SMTP id
	t190-v6mr2554037wmd.2.1531323930590;
	Wed, 11 Jul 2018 08:45:30 -0700 (PDT)
X-Google-Smtp-Source: 
 AAOMgpdHkbaWzpWoxAdAzSMZr1+BanMx/bL9d16BmIho26z14xBW2E40XcMo6f7nTY0F+Jupsgt1Hg==
X-Received: by 2002:a1c:91c7:: with SMTP id
	t190-v6mr2554027wmd.2.1531323930417;
	Wed, 11 Jul 2018 08:45:30 -0700 (PDT)
Received: from localhost ([2a02:8109:98c0:1604:7504:6cc9:f396:598d])
	by smtp.gmail.com with ESMTPSA id
	s124-v6sm2674350wmf.47.2018.07.11.08.45.29
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Wed, 11 Jul 2018 08:45:29 -0700 (PDT)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Trusty][PATCH 1/1] scsi: sg: fixup infoleak when using
	SG_GET_REQUEST_TABLE
Date: Wed, 11 Jul 2018 17:45:25 +0200
Message-Id: <20180711154525.32498-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180711154525.32498-1-kleber.souza@canonical.com>
References: <20180711154525.32498-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Hannes Reinecke <hare@suse.de>

When calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is
returned; the remaining part will then contain stale kernel memory
information.  This patch zeroes out the entire table to avoid this
issue.

Signed-off-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

CVE-2017-14991
(backported from commit 3e0097499839e0fe3af380410eababe5a47c4cf9)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
---
 drivers/scsi/sg.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 47b8f7b8b7b4..1c3dd355b317 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1003,14 +1003,13 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 			sg_req_info_t *rinfo;
 			unsigned int ms;
 
-			rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
-								GFP_KERNEL);
+			rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
+					GFP_KERNEL);
 			if (!rinfo)
 				return -ENOMEM;
 			read_lock_irqsave(&sfp->rq_list_lock, iflags);
 			for (srp = sfp->headrp, val = 0; val < SG_MAX_QUEUE;
 			     ++val, srp = srp ? srp->nextrp : srp) {
-				memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
 				if (srp) {
 					rinfo[val].req_state = srp->done + 1;
 					rinfo[val].problem =