| Message ID | 20210311023621.1152868-1-cascardo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2021-27363, CVE-2021-27364, CVE-2021-27365 | expand |
On 11.03.21 03:36, Thadeu Lima de Souza Cascardo wrote: > [Impact] > Unprivileged users can use the iscsi_transport handle to leak kernel address, > create/close iscsi sessions, and write out of bonds when reading sysfs iscsi > attributes. > > [Fix/Backport] > 3 commits fix the problem, minimal backporting was needed because of missing > commit 82b8cf40bfe1, but the commit that introduces sysfs_emit was needed from > 4.15 to 5.8, and needed some context adjustment on 4.15 because of missing > *change_owner functions. > > [Test case] > Leaking the address by reading /sys/class/iscsi_transport/tcp/handle was not > possible anymore. Also, creating a session also failed, and even as root, > setting a name larger than PAGE_SIZE failed. > > [Potential regression] > iscsi users could fail to operate as unprivileged users. > > Chris Leech (2): > scsi: iscsi: Verify lengths on passthrough PDUs > scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE > > Joe Perches (1): > sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output > > Lee Duncan (1): > scsi: iscsi: Restrict sessions and handles to admin capabilities > > Documentation/filesystems/sysfs.txt | 8 +- > drivers/scsi/libiscsi.c | 148 ++++++++++++++-------------- > drivers/scsi/scsi_transport_iscsi.c | 39 ++++++-- > fs/sysfs/file.c | 55 +++++++++++ > include/linux/sysfs.h | 16 +++ > 5 files changed, 178 insertions(+), 88 deletions(-) > I attribute this to the late moment when it was seen to be important to go into next cycle, but picking the right patch(es) per series will be challenging... Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 3/10/21 7:36 PM, Thadeu Lima de Souza Cascardo wrote: > [Impact] > Unprivileged users can use the iscsi_transport handle to leak kernel address, > create/close iscsi sessions, and write out of bonds when reading sysfs iscsi > attributes. > > [Fix/Backport] > 3 commits fix the problem, minimal backporting was needed because of missing > commit 82b8cf40bfe1, but the commit that introduces sysfs_emit was needed from > 4.15 to 5.8, and needed some context adjustment on 4.15 because of missing > *change_owner functions. > > [Test case] > Leaking the address by reading /sys/class/iscsi_transport/tcp/handle was not > possible anymore. Also, creating a session also failed, and even as root, > setting a name larger than PAGE_SIZE failed. > > [Potential regression] > iscsi users could fail to operate as unprivileged users. > > Chris Leech (2): > scsi: iscsi: Verify lengths on passthrough PDUs > scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE > > Joe Perches (1): > sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output > > Lee Duncan (1): > scsi: iscsi: Restrict sessions and handles to admin capabilities > > Documentation/filesystems/sysfs.txt | 8 +- > drivers/scsi/libiscsi.c | 148 ++++++++++++++-------------- > drivers/scsi/scsi_transport_iscsi.c | 39 ++++++-- > fs/sysfs/file.c | 55 +++++++++++ > include/linux/sysfs.h | 16 +++ > 5 files changed, 178 insertions(+), 88 deletions(-) >
Applied to G/F/B master-next. Thank you! -Kelsey On 2021-03-10 23:36:12 , Thadeu Lima de Souza Cascardo wrote: > [Impact] > Unprivileged users can use the iscsi_transport handle to leak kernel address, > create/close iscsi sessions, and write out of bonds when reading sysfs iscsi > attributes. > > [Fix/Backport] > 3 commits fix the problem, minimal backporting was needed because of missing > commit 82b8cf40bfe1, but the commit that introduces sysfs_emit was needed from > 4.15 to 5.8, and needed some context adjustment on 4.15 because of missing > *change_owner functions. > > [Test case] > Leaking the address by reading /sys/class/iscsi_transport/tcp/handle was not > possible anymore. Also, creating a session also failed, and even as root, > setting a name larger than PAGE_SIZE failed. > > [Potential regression] > iscsi users could fail to operate as unprivileged users. > > Chris Leech (2): > scsi: iscsi: Verify lengths on passthrough PDUs > scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE > > Joe Perches (1): > sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output > > Lee Duncan (1): > scsi: iscsi: Restrict sessions and handles to admin capabilities > > Documentation/filesystems/sysfs.txt | 8 +- > drivers/scsi/libiscsi.c | 148 ++++++++++++++-------------- > drivers/scsi/scsi_transport_iscsi.c | 39 ++++++-- > fs/sysfs/file.c | 55 +++++++++++ > include/linux/sysfs.h | 16 +++ > 5 files changed, 178 insertions(+), 88 deletions(-) > > -- > 2.27.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Wed, Mar 10, 2021 at 11:36:12PM -0300, Thadeu Lima de Souza Cascardo wrote: > [Impact] > Unprivileged users can use the iscsi_transport handle to leak kernel address, > create/close iscsi sessions, and write out of bonds when reading sysfs iscsi > attributes. > > [Fix/Backport] > 3 commits fix the problem, minimal backporting was needed because of missing > commit 82b8cf40bfe1, but the commit that introduces sysfs_emit was needed from > 4.15 to 5.8, and needed some context adjustment on 4.15 because of missing > *change_owner functions. > > [Test case] > Leaking the address by reading /sys/class/iscsi_transport/tcp/handle was not > possible anymore. Also, creating a session also failed, and even as root, > setting a name larger than PAGE_SIZE failed. > > [Potential regression] > iscsi users could fail to operate as unprivileged users. All of these patches have already hit 5.11 via stable updates, so nack for hirsute.
On 11.3.2021 4.36, Thadeu Lima de Souza Cascardo wrote: > [Impact] > Unprivileged users can use the iscsi_transport handle to leak kernel address, > create/close iscsi sessions, and write out of bonds when reading sysfs iscsi > attributes. > > [Fix/Backport] > 3 commits fix the problem, minimal backporting was needed because of missing > commit 82b8cf40bfe1, but the commit that introduces sysfs_emit was needed from > 4.15 to 5.8, and needed some context adjustment on 4.15 because of missing > *change_owner functions. > > [Test case] > Leaking the address by reading /sys/class/iscsi_transport/tcp/handle was not > possible anymore. Also, creating a session also failed, and even as root, > setting a name larger than PAGE_SIZE failed. > > [Potential regression] > iscsi users could fail to operate as unprivileged users. > > Chris Leech (2): > scsi: iscsi: Verify lengths on passthrough PDUs > scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE > > Joe Perches (1): > sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output > > Lee Duncan (1): > scsi: iscsi: Restrict sessions and handles to admin capabilities > > Documentation/filesystems/sysfs.txt | 8 +- > drivers/scsi/libiscsi.c | 148 ++++++++++++++-------------- > drivers/scsi/scsi_transport_iscsi.c | 39 ++++++-- > fs/sysfs/file.c | 55 +++++++++++ > include/linux/sysfs.h | 16 +++ > 5 files changed, 178 insertions(+), 88 deletions(-) > already applied via stable updates