Bug 931988 - (CVE-2015-4036) VUL-0: CVE-2015-4036: kernel: potential memory corruption (denial of service) in vhost/scsi driver
(CVE-2015-4036)
VUL-0: CVE-2015-4036: kernel: potential memory corruption (denial of service)...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/116987/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-22 09:18 UTC by Alexander Bergmann
Modified: 2016-04-27 21:05 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2015-05-22 09:18:15 UTC
rh#1189864 / CVE-2015-4036
--------------------------------
It was reported that in vhost_scsi_make_tpg() the limit for "tpgt" is UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.

In the context it turns out that in vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements, so anything higher than 255 then is invalid. Attached patch corrects this.
In vhost_scsi_send_evt() the values higher than 255 are masked, but now that the limit has changed, the mask is not needed.

Upstream fix:
http://www.spinics.net/lists/linux-scsi/msg82650.html
--------------------------------

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1189864
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4036
http://seclists.org/oss-sec/2015/q2/519
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4036.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4036
Comment 1 Hannes Reinecke 2015-05-22 09:22:42 UTC
Patch is okay.
Comment 2 Borislav Petkov 2015-05-22 09:28:01 UTC
Fix is already upstream:

59c816c1f24d ("vhost/scsi: potential memory corruption")

Lemme take a look.
Comment 3 Borislav Petkov 2015-05-22 10:25:28 UTC
SLE12: pushed out. Adding mhocko for TD.
Comment 4 Borislav Petkov 2015-05-22 10:30:54 UTC
@mhocko: You don't need to look, actually. The vhost/scsi.c thing came in in 3.9.
Comment 5 Borislav Petkov 2015-05-22 11:01:32 UTC
Pushed to oS13.x. Bouncing back to security@.
Comment 6 Swamp Workflow Management 2015-07-31 08:18:57 UTC
SUSE-SU-2015:1324-1: An update that solves 11 vulnerabilities and has 63 fixes is now available.

Category: security (important)
Bug References: 854817,854824,858727,866911,867362,895814,903279,907092,908491,915183,917630,918618,921430,924071,924526,926369,926953,927455,927697,927786,928131,929475,929696,929879,929974,930092,930399,930579,930599,930972,931124,931403,931538,931620,931860,931988,932348,932793,932897,932898,932899,932900,932967,933117,933429,933637,933896,933904,933907,934160,935083,935085,935088,935174,935542,935881,935918,936012,936423,936445,936446,936502,936556,936831,936875,937032,937087,937609,937612,937613,937616,938022,938023,938024
CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-1805,CVE-2015-3212,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-5364,CVE-2015-5366
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    kernel-default-3.12.44-52.10.1
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.44-52.10.3, kernel-obs-build-3.12.44-52.10.1
SUSE Linux Enterprise Server 12 (src):    kernel-default-3.12.44-52.10.1, kernel-source-3.12.44-52.10.1, kernel-syms-3.12.44-52.10.1, kernel-xen-3.12.44-52.10.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.44-52.10.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_6-1-2.1
SUSE Linux Enterprise Desktop 12 (src):    kernel-default-3.12.44-52.10.1, kernel-source-3.12.44-52.10.1, kernel-syms-3.12.44-52.10.1, kernel-xen-3.12.44-52.10.1
Comment 7 Marcus Meissner 2015-09-04 15:15:33 UTC
oopensuse will be releasd at some point, otherwise done
Comment 8 Swamp Workflow Management 2016-02-01 15:18:52 UTC
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1