lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2743667.hK8qPvyv2t@eto>
Date:	Fri, 16 Nov 2012 10:35:32 +0100
From:	Rolf Eike Beer <eike-kernel@...tec.de>
To:	Sasha Levin <sasha.levin@...cle.com>
Cc:	JBottomley@...allels.com, linux-scsi@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] scsi: prevent stack buffer overflow in host_reset

Am Donnerstag 15 November 2012, 15:51:46 schrieb Sasha Levin:
> store_host_reset() has tried to re-invent the wheel to compare sysfs
> strings. Unfortunately it did so poorly and never bothered to check the
> input from userspace before overwriting stack with it, so something simple
> as:
> 
> echo "WoopsieWoopsie" >
> /sys/devices/pseudo_0/adapter0/host0/scsi_host/host0/host_reset
> 
> would result in:
> 
> [  316.310101] Kernel panic - not syncing: stack-protector: Kernel stack is
> corrupted in: ffffffff81f5bac7 [  316.310101]
> [  316.320051] Pid: 6655, comm: sh Tainted: G        W   
> 3.7.0-rc5-next-20121114-sasha-00016-g5c9d68d-dirty #129 [  316.320051] Call
> Trace:
> [  316.340058] pps pps0: PPS event at 1352918752.620355751
> [  316.340062] pps pps0: capture assert seq #303
> [  316.320051]  [<ffffffff83b3856b>] panic+0xcd/0x1f4
> [  316.320051]  [<ffffffff81f5bac7>] ? store_host_reset+0xd7/0x100
> [  316.320051]  [<ffffffff8110b996>] __stack_chk_fail+0x16/0x20
> [  316.320051]  [<ffffffff81f5bac7>] store_host_reset+0xd7/0x100
> [  316.320051]  [<ffffffff81e55bb3>] dev_attr_store+0x13/0x30
> [  316.320051]  [<ffffffff812f7db1>] sysfs_write_file+0x101/0x170
> [  316.320051]  [<ffffffff8127acc8>] vfs_write+0xb8/0x180
> [  316.320051]  [<ffffffff8127ae80>] sys_write+0x50/0xa0
> [  316.320051]  [<ffffffff83c03418>] tracesys+0xe1/0xe6
> 
> Fix this by uninventing whatever was going on there and just use
> sysfs_streq.
> 
> Bug introduced by 29443691 ("[SCSI] scsi: Added support for adapter and
> firmware reset").
> 
> Signed-off-by: Sasha Levin <sasha.levin@...cle.com>

That revision is in 3.2 and all following, so I think this needs to go into 
stable, too.

Eike
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ