64782 – (CVE-2005-0180) VUL-0: CVE-2005-0180: grsecurity: sg_scsi_ioctl integer overflow

Bug 64782 (CVE-2005-0180) - VUL-0: CVE-2005-0180: grsecurity: sg_scsi_ioctl integer overflow

Summary: VUL-0: CVE-2005-0180: grsecurity: sg_scsi_ioctl integer overflow

Status:	RESOLVED FIXED

Alias:	CVE-2005-0180

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Marcus Meissner
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2005-0180: CVSS v2 Base Score: 3....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-01-13 00:16 UTC by Marcus Meissner
Modified:	2021-10-27 11:44 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Make the value in question unsigned (604 bytes, patch) 2005-01-13 00:22 UTC, Jens Axboe	Details \| Diff
xx.c (202 bytes, text/plain) 2005-01-18 21:32 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2005-01-13 00:16:21 UTC

from grsecurity. 
 
in drivers/block/scsi_ioctl.c::sg_scsi_ioctl 
 
the Scsi_Ioctl_Command contains unsigned ints, it however reads out  
singed ints for in_len and out_len. 
 
they are later compared > PAGE_SIZE ... and not checked for underflow. 
 
I was not yet able to reproduce a problem with it. reading the amd64 assembler 
it seems it does an unsigned comparison, so it does not find the problem.

Comment 1 Marcus Meissner 2005-01-13 00:16:21 UTC

<!-- SBZ_reproduce  -->
n/a

Comment 2 Jens Axboe 2005-01-13 00:22:26 UTC

Created attachment 27598 [details]
Make the value in question unsigned

This should fix it, ok to commit?

Comment 3 Jens Axboe 2005-01-13 00:30:25 UTC

I committed it to SP1, question is whether we will issue a SLES9GA update as
well before SP1 hits the streets? Should I commit to GA as well?

Comment 4 Marcus Meissner 2005-01-13 00:31:13 UTC

please do not commit to GA yet. 
 
but please commit to HEAD and 9.2. 
 
also get it to mainline ;)

Comment 5 Jens Axboe 2005-01-13 02:21:06 UTC

Done, committed to HEAD and SLES92.

Comment 6 Jens Axboe 2005-01-15 22:11:58 UTC

The patch is in mainline. Assigning to Marcus since I don't know how to further
follow up on this.

Comment 7 Marcus Meissner 2005-01-17 17:26:33 UTC

jens, its already as patch in our next update kernels. so we are on it.

Comment 8 Jens Axboe 2005-01-17 17:43:07 UTC

Thanks Marcus!

Comment 9 Marcus Meissner 2005-01-18 20:41:04 UTC

actually this might even be a non issue in the existing code.

Comment 10 Marcus Meissner 2005-01-18 20:42:06 UTC

amd64:  
 
The comparison before patch: 
 
ffffffff8026757e:       81 f9 00 10 00 00       cmp    $0x1000,%ecx 
ffffffff80267584:       0f 97 c2                seta   %dl 
ffffffff80267587:       81 7c 24 2c 00 10 00    cmpl   $0x1000,0x2c(%rsp) 
ffffffff8026758e:       00  
ffffffff8026758f:       0f 97 c0                seta   %al 
ffffffff80267592:       09 d0                   or     %edx,%eax 
ffffffff80267594:       89 ea                   mov    %ebp,%edx 
ffffffff80267596:       a8 01                   test   $0x1,%al 
 
The comparison after the patch: 
ffffffff8026757e:       81 f9 00 10 00 00       cmp    $0x1000,%ecx 
ffffffff80267584:       0f 97 c2                seta   %dl 
ffffffff80267587:       81 7c 24 30 00 10 00    cmpl   $0x1000,0x30(%rsp) 
ffffffff8026758e:       00  
ffffffff8026758f:       0f 97 c0                seta   %al 
ffffffff80267592:       09 d0                   or     %edx,%eax 
ffffffff80267594:       89 ea                   mov    %ebp,%edx 
ffffffff80267596:       a8 01                   test   $0x1,%al 
 
except the stack offset this is unchanged.

Comment 11 Marcus Meissner 2005-01-18 20:54:59 UTC

ppc64: 
 
the code is different, one does sign extension, one does not. :(

Comment 12 Marcus Meissner 2005-01-18 21:32:24 UTC

Created attachment 27713 [details]
xx.c

testcode

Comment 13 Marcus Meissner 2005-01-18 21:33:58 UTC

this code has the same conditions basically as the function in question. 
 
On all platforms this outputs: 
 
$ ./xx 
Hallo Welt 2. 
$ 
 
(I admit this is not the fully same code.)

Comment 14 Marcus Meissner 2005-02-01 17:49:04 UTC

CAN-2005-0180 possibly.

Comment 15 Marcus Meissner 2005-02-05 01:05:20 UTC

updates released.

Comment 16 Thomas Biege 2009-10-13 20:57:08 UTC

CVE-2005-0180: CVSS v2 Base Score: 3.6 (AV:L/AC:L/Au:N/C:P/I:P/A:N)