Bug 64782 (CVE-2005-0180)

Summary: VUL-0: CVE-2005-0180: grsecurity: sg_scsi_ioctl integer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team, smueller
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0180: CVSS v2 Base Score: 3.6 (AV:L/AC:L/Au:N/C:P/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Make the value in question unsigned
xx.c

Description Marcus Meissner 2005-01-13 00:16:21 UTC 
from grsecurity. 
 
in drivers/block/scsi_ioctl.c::sg_scsi_ioctl 
 
the Scsi_Ioctl_Command contains unsigned ints, it however reads out  
singed ints for in_len and out_len. 
 
they are later compared > PAGE_SIZE ... and not checked for underflow. 
 
I was not yet able to reproduce a problem with it. reading the amd64 assembler 
it seems it does an unsigned comparison, so it does not find the problem.
Comment 1 Marcus Meissner 2005-01-13 00:16:21 UTC 
<!-- SBZ_reproduce  -->
n/a
Comment 2 Jens Axboe 2005-01-13 00:22:26 UTC 
Created attachment 27598 [details]
Make the value in question unsigned

This should fix it, ok to commit?
Comment 3 Jens Axboe 2005-01-13 00:30:25 UTC 
I committed it to SP1, question is whether we will issue a SLES9GA update as
well before SP1 hits the streets? Should I commit to GA as well?
Comment 4 Marcus Meissner 2005-01-13 00:31:13 UTC 
please do not commit to GA yet. 
 
but please commit to HEAD and 9.2. 
 
also get it to mainline ;)
Comment 5 Jens Axboe 2005-01-13 02:21:06 UTC 
Done, committed to HEAD and SLES92.
Comment 6 Jens Axboe 2005-01-15 22:11:58 UTC 
The patch is in mainline. Assigning to Marcus since I don't know how to further
follow up on this.
Comment 7 Marcus Meissner 2005-01-17 17:26:33 UTC 
jens, its already as patch in our next update kernels. so we are on it.
Comment 8 Jens Axboe 2005-01-17 17:43:07 UTC 
Thanks Marcus!
Comment 9 Marcus Meissner 2005-01-18 20:41:04 UTC 
actually this might even be a non issue in the existing code.
Comment 10 Marcus Meissner 2005-01-18 20:42:06 UTC 
amd64:  
 
The comparison before patch: 
 
ffffffff8026757e:       81 f9 00 10 00 00       cmp    $0x1000,%ecx 
ffffffff80267584:       0f 97 c2                seta   %dl 
ffffffff80267587:       81 7c 24 2c 00 10 00    cmpl   $0x1000,0x2c(%rsp) 
ffffffff8026758e:       00  
ffffffff8026758f:       0f 97 c0                seta   %al 
ffffffff80267592:       09 d0                   or     %edx,%eax 
ffffffff80267594:       89 ea                   mov    %ebp,%edx 
ffffffff80267596:       a8 01                   test   $0x1,%al 
 
The comparison after the patch: 
ffffffff8026757e:       81 f9 00 10 00 00       cmp    $0x1000,%ecx 
ffffffff80267584:       0f 97 c2                seta   %dl 
ffffffff80267587:       81 7c 24 30 00 10 00    cmpl   $0x1000,0x30(%rsp) 
ffffffff8026758e:       00  
ffffffff8026758f:       0f 97 c0                seta   %al 
ffffffff80267592:       09 d0                   or     %edx,%eax 
ffffffff80267594:       89 ea                   mov    %ebp,%edx 
ffffffff80267596:       a8 01                   test   $0x1,%al 
 
except the stack offset this is unchanged.
Comment 11 Marcus Meissner 2005-01-18 20:54:59 UTC 
ppc64: 
 
the code is different, one does sign extension, one does not. :(
Comment 12 Marcus Meissner 2005-01-18 21:32:24 UTC 
Created attachment 27713 [details]
xx.c

testcode
Comment 13 Marcus Meissner 2005-01-18 21:33:58 UTC 
this code has the same conditions basically as the function in question. 
 
On all platforms this outputs: 
 
$ ./xx 
Hallo Welt 2. 
$ 
 
(I admit this is not the fully same code.)
Comment 14 Marcus Meissner 2005-02-01 17:49:04 UTC 
CAN-2005-0180 possibly.
Comment 15 Marcus Meissner 2005-02-05 01:05:20 UTC 
updates released.
Comment 16 Thomas Biege 2009-10-13 20:57:08 UTC 
CVE-2005-0180: CVSS v2 Base Score: 3.6 (AV:L/AC:L/Au:N/C:P/I:P/A:N)