diff --git a/SOURCES/scsi-iscsi-kpatch-fixes-for-CVE-2021-27364-and-CVE-2.patch b/SOURCES/scsi-iscsi-kpatch-fixes-for-CVE-2021-27364-and-CVE-2.patch new file mode 100644 index 0000000..15e5af0 --- /dev/null +++ b/SOURCES/scsi-iscsi-kpatch-fixes-for-CVE-2021-27364-and-CVE-2.patch @@ -0,0 +1,589 @@ +From 7627b7136546892ed803c6f41153d0674c05fc1f Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Fri, 26 Mar 2021 13:24:17 -0400 +Subject: [PATCH] scsi: iscsi: kpatch fixes for CVE-2021-27364 and + CVE-2021-27365 + +Notes: backport CVE-2021-27363 to simplify patchset + see [JL] notes in commit msgs below correcting CVE numbers + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 + +Changes since last build: +arches: x86_64 ppc64le +libiscsi.o: changed function: iscsi_conn_get_addr_param +libiscsi.o: changed function: iscsi_conn_get_param +libiscsi.o: changed function: iscsi_host_get_param +libiscsi.o: changed function: iscsi_session_get_param +scsi_transport_iscsi.o: changed function: iscsi_if_recv_msg +scsi_transport_iscsi.o: changed function: show_ep_handle +scsi_transport_iscsi.o: changed function: show_priv_session_creator +scsi_transport_iscsi.o: changed function: show_priv_session_recovery_tmo +scsi_transport_iscsi.o: changed function: show_priv_session_state +scsi_transport_iscsi.o: changed function: show_priv_session_target_id +scsi_transport_iscsi.o: changed function: show_transport_caps +scsi_transport_iscsi.o: changed function: show_transport_handle +--------------------------- + +Modifications: none + +commit b307f0f6090743a904454f6ecc54d290ca18a693 +Author: Chris Leech +Date: Thu Mar 4 09:55:32 2021 -0800 + + scsi: iscsi: Restrict sessions and handles to admin capabilities + + Bugzilla: http://bugzilla.redhat.com/1930807 + CVE: CVE-2021-27364 << [JL] should be CVE-2021-27363 + + commit 688e8128b7a92df982709a4137ea4588d16f24aa + Author: Lee Duncan + Date: Tue Feb 23 13:06:24 2021 -0800 + + scsi: iscsi: Restrict sessions and handles to admin capabilities + + Protect the iSCSI transport handle, available in sysfs, by requiring + CAP_SYS_ADMIN to read it. Also protect the netlink socket by restricting + reception of messages to ones sent with CAP_SYS_ADMIN. This disables + normal users from being able to end arbitrary iSCSI sessions. + + Cc: stable@vger.kernel.org + Reported-by: Adam Nichols + Reviewed-by: Chris Leech + Reviewed-by: Mike Christie + Signed-off-by: Lee Duncan + Signed-off-by: Martin K. Petersen + + Signed-off-by: Chris Leech + +commit af581fe518f4d6a6f28064f932d9374e0444d706 +Author: Chris Leech +Date: Thu Mar 4 09:57:23 2021 -0800 + + scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE + + Bugzilla: http://bugzilla.redhat.com/1930849 + CVE: CVE-2021-27363 << [JL] should be CVE-2021-27365 + + Conflicts: The sysfs_emit helper doesn't exist for backports, but other + than a sanity check on buf it's just a call to scnprintf with a + PAGE_SIZE limit. + converted with s/sysfs_emit(buf,/scnprintf(buf, PAGE_SIZE,/ + + commit ec98ea7070e94cc25a422ec97d1421e28d97b7ee + Author: Chris Leech + Date: Tue Feb 23 18:00:17 2021 -0800 + + scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE + + As the iSCSI parameters are exported back through sysfs, it should be + enforcing that they never are more than PAGE_SIZE (which should be more + than enough) before accepting updates through netlink. + + Change all iSCSI sysfs attributes to use sysfs_emit(). + + Cc: stable@vger.kernel.org + Reported-by: Adam Nichols + Reviewed-by: Lee Duncan + Reviewed-by: Greg Kroah-Hartman + Reviewed-by: Mike Christie + Signed-off-by: Chris Leech + Signed-off-by: Martin K. Petersen + + Signed-off-by: Chris Leech + +commit 8026ca13e283db6175377fccf309e8c5239033be +Author: Chris Leech +Date: Thu Mar 4 09:58:33 2021 -0800 + + scsi: iscsi: Verify lengths on passthrough PDUs + + Bugzilla: http://bugzilla.redhat.com/1930826 + CVE: CVE-2021-27365 << [JL] should be CVE-2021-27364 + + commit f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5 + Author: Chris Leech + Date: Tue Feb 23 21:39:01 2021 -0800 + + scsi: iscsi: Verify lengths on passthrough PDUs + + Open-iSCSI sends passthrough PDUs over netlink, but the kernel should be + verifying that the provided PDU header and data lengths fall within the + netlink message to prevent accessing beyond that in memory. + + Cc: stable@vger.kernel.org + Reported-by: Adam Nichols + Reviewed-by: Lee Duncan + Reviewed-by: Mike Christie + Signed-off-by: Chris Leech + Signed-off-by: Martin K. Petersen + + Signed-off-by: Chris Leech + +Signed-off-by: Joe Lawrence +Acked-by: Artem Savkov +--- + drivers/scsi/libiscsi.c | 148 ++++++++++++++-------------- + drivers/scsi/scsi_transport_iscsi.c | 38 +++++-- + 2 files changed, 104 insertions(+), 82 deletions(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index bd36ead89f9d..5530662bd9ed 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -3323,125 +3323,125 @@ int iscsi_session_get_param(struct iscsi_cls_session *cls_session, + + switch(param) { + case ISCSI_PARAM_FAST_ABORT: +- len = sprintf(buf, "%d\n", session->fast_abort); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->fast_abort); + break; + case ISCSI_PARAM_ABORT_TMO: +- len = sprintf(buf, "%d\n", session->abort_timeout); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->abort_timeout); + break; + case ISCSI_PARAM_LU_RESET_TMO: +- len = sprintf(buf, "%d\n", session->lu_reset_timeout); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->lu_reset_timeout); + break; + case ISCSI_PARAM_TGT_RESET_TMO: +- len = sprintf(buf, "%d\n", session->tgt_reset_timeout); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->tgt_reset_timeout); + break; + case ISCSI_PARAM_INITIAL_R2T_EN: +- len = sprintf(buf, "%d\n", session->initial_r2t_en); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->initial_r2t_en); + break; + case ISCSI_PARAM_MAX_R2T: +- len = sprintf(buf, "%hu\n", session->max_r2t); ++ len = scnprintf(buf, PAGE_SIZE, "%hu\n", session->max_r2t); + break; + case ISCSI_PARAM_IMM_DATA_EN: +- len = sprintf(buf, "%d\n", session->imm_data_en); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->imm_data_en); + break; + case ISCSI_PARAM_FIRST_BURST: +- len = sprintf(buf, "%u\n", session->first_burst); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->first_burst); + break; + case ISCSI_PARAM_MAX_BURST: +- len = sprintf(buf, "%u\n", session->max_burst); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->max_burst); + break; + case ISCSI_PARAM_PDU_INORDER_EN: +- len = sprintf(buf, "%d\n", session->pdu_inorder_en); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->pdu_inorder_en); + break; + case ISCSI_PARAM_DATASEQ_INORDER_EN: +- len = sprintf(buf, "%d\n", session->dataseq_inorder_en); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->dataseq_inorder_en); + break; + case ISCSI_PARAM_DEF_TASKMGMT_TMO: +- len = sprintf(buf, "%d\n", session->def_taskmgmt_tmo); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->def_taskmgmt_tmo); + break; + case ISCSI_PARAM_ERL: +- len = sprintf(buf, "%d\n", session->erl); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->erl); + break; + case ISCSI_PARAM_TARGET_NAME: +- len = sprintf(buf, "%s\n", session->targetname); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->targetname); + break; + case ISCSI_PARAM_TARGET_ALIAS: +- len = sprintf(buf, "%s\n", session->targetalias); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->targetalias); + break; + case ISCSI_PARAM_TPGT: +- len = sprintf(buf, "%d\n", session->tpgt); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->tpgt); + break; + case ISCSI_PARAM_USERNAME: +- len = sprintf(buf, "%s\n", session->username); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->username); + break; + case ISCSI_PARAM_USERNAME_IN: +- len = sprintf(buf, "%s\n", session->username_in); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->username_in); + break; + case ISCSI_PARAM_PASSWORD: +- len = sprintf(buf, "%s\n", session->password); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->password); + break; + case ISCSI_PARAM_PASSWORD_IN: +- len = sprintf(buf, "%s\n", session->password_in); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->password_in); + break; + case ISCSI_PARAM_IFACE_NAME: +- len = sprintf(buf, "%s\n", session->ifacename); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->ifacename); + break; + case ISCSI_PARAM_INITIATOR_NAME: +- len = sprintf(buf, "%s\n", session->initiatorname); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->initiatorname); + break; + case ISCSI_PARAM_BOOT_ROOT: +- len = sprintf(buf, "%s\n", session->boot_root); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->boot_root); + break; + case ISCSI_PARAM_BOOT_NIC: +- len = sprintf(buf, "%s\n", session->boot_nic); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->boot_nic); + break; + case ISCSI_PARAM_BOOT_TARGET: +- len = sprintf(buf, "%s\n", session->boot_target); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->boot_target); + break; + case ISCSI_PARAM_AUTO_SND_TGT_DISABLE: +- len = sprintf(buf, "%u\n", session->auto_snd_tgt_disable); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->auto_snd_tgt_disable); + break; + case ISCSI_PARAM_DISCOVERY_SESS: +- len = sprintf(buf, "%u\n", session->discovery_sess); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->discovery_sess); + break; + case ISCSI_PARAM_PORTAL_TYPE: +- len = sprintf(buf, "%s\n", session->portal_type); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", session->portal_type); + break; + case ISCSI_PARAM_CHAP_AUTH_EN: +- len = sprintf(buf, "%u\n", session->chap_auth_en); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->chap_auth_en); + break; + case ISCSI_PARAM_DISCOVERY_LOGOUT_EN: +- len = sprintf(buf, "%u\n", session->discovery_logout_en); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->discovery_logout_en); + break; + case ISCSI_PARAM_BIDI_CHAP_EN: +- len = sprintf(buf, "%u\n", session->bidi_chap_en); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->bidi_chap_en); + break; + case ISCSI_PARAM_DISCOVERY_AUTH_OPTIONAL: +- len = sprintf(buf, "%u\n", session->discovery_auth_optional); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->discovery_auth_optional); + break; + case ISCSI_PARAM_DEF_TIME2WAIT: +- len = sprintf(buf, "%d\n", session->time2wait); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->time2wait); + break; + case ISCSI_PARAM_DEF_TIME2RETAIN: +- len = sprintf(buf, "%d\n", session->time2retain); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", session->time2retain); + break; + case ISCSI_PARAM_TSID: +- len = sprintf(buf, "%u\n", session->tsid); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->tsid); + break; + case ISCSI_PARAM_ISID: +- len = sprintf(buf, "%02x%02x%02x%02x%02x%02x\n", ++ len = scnprintf(buf, PAGE_SIZE, "%02x%02x%02x%02x%02x%02x\n", + session->isid[0], session->isid[1], + session->isid[2], session->isid[3], + session->isid[4], session->isid[5]); + break; + case ISCSI_PARAM_DISCOVERY_PARENT_IDX: +- len = sprintf(buf, "%u\n", session->discovery_parent_idx); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", session->discovery_parent_idx); + break; + case ISCSI_PARAM_DISCOVERY_PARENT_TYPE: + if (session->discovery_parent_type) +- len = sprintf(buf, "%s\n", ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", + session->discovery_parent_type); + else +- len = sprintf(buf, "\n"); ++ len = scnprintf(buf, PAGE_SIZE, "\n"); + break; + default: + return -ENOSYS; +@@ -3473,16 +3473,16 @@ int iscsi_conn_get_addr_param(struct sockaddr_storage *addr, + case ISCSI_PARAM_CONN_ADDRESS: + case ISCSI_HOST_PARAM_IPADDRESS: + if (sin) +- len = sprintf(buf, "%pI4\n", &sin->sin_addr.s_addr); ++ len = scnprintf(buf, PAGE_SIZE, "%pI4\n", &sin->sin_addr.s_addr); + else +- len = sprintf(buf, "%pI6\n", &sin6->sin6_addr); ++ len = scnprintf(buf, PAGE_SIZE, "%pI6\n", &sin6->sin6_addr); + break; + case ISCSI_PARAM_CONN_PORT: + case ISCSI_PARAM_LOCAL_PORT: + if (sin) +- len = sprintf(buf, "%hu\n", be16_to_cpu(sin->sin_port)); ++ len = scnprintf(buf, PAGE_SIZE, "%hu\n", be16_to_cpu(sin->sin_port)); + else +- len = sprintf(buf, "%hu\n", ++ len = scnprintf(buf, PAGE_SIZE, "%hu\n", + be16_to_cpu(sin6->sin6_port)); + break; + default: +@@ -3501,88 +3501,88 @@ int iscsi_conn_get_param(struct iscsi_cls_conn *cls_conn, + + switch(param) { + case ISCSI_PARAM_PING_TMO: +- len = sprintf(buf, "%u\n", conn->ping_timeout); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->ping_timeout); + break; + case ISCSI_PARAM_RECV_TMO: +- len = sprintf(buf, "%u\n", conn->recv_timeout); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->recv_timeout); + break; + case ISCSI_PARAM_MAX_RECV_DLENGTH: +- len = sprintf(buf, "%u\n", conn->max_recv_dlength); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->max_recv_dlength); + break; + case ISCSI_PARAM_MAX_XMIT_DLENGTH: +- len = sprintf(buf, "%u\n", conn->max_xmit_dlength); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->max_xmit_dlength); + break; + case ISCSI_PARAM_HDRDGST_EN: +- len = sprintf(buf, "%d\n", conn->hdrdgst_en); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", conn->hdrdgst_en); + break; + case ISCSI_PARAM_DATADGST_EN: +- len = sprintf(buf, "%d\n", conn->datadgst_en); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", conn->datadgst_en); + break; + case ISCSI_PARAM_IFMARKER_EN: +- len = sprintf(buf, "%d\n", conn->ifmarker_en); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", conn->ifmarker_en); + break; + case ISCSI_PARAM_OFMARKER_EN: +- len = sprintf(buf, "%d\n", conn->ofmarker_en); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", conn->ofmarker_en); + break; + case ISCSI_PARAM_EXP_STATSN: +- len = sprintf(buf, "%u\n", conn->exp_statsn); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->exp_statsn); + break; + case ISCSI_PARAM_PERSISTENT_PORT: +- len = sprintf(buf, "%d\n", conn->persistent_port); ++ len = scnprintf(buf, PAGE_SIZE, "%d\n", conn->persistent_port); + break; + case ISCSI_PARAM_PERSISTENT_ADDRESS: +- len = sprintf(buf, "%s\n", conn->persistent_address); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", conn->persistent_address); + break; + case ISCSI_PARAM_STATSN: +- len = sprintf(buf, "%u\n", conn->statsn); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->statsn); + break; + case ISCSI_PARAM_MAX_SEGMENT_SIZE: +- len = sprintf(buf, "%u\n", conn->max_segment_size); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->max_segment_size); + break; + case ISCSI_PARAM_KEEPALIVE_TMO: +- len = sprintf(buf, "%u\n", conn->keepalive_tmo); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->keepalive_tmo); + break; + case ISCSI_PARAM_LOCAL_PORT: +- len = sprintf(buf, "%u\n", conn->local_port); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->local_port); + break; + case ISCSI_PARAM_TCP_TIMESTAMP_STAT: +- len = sprintf(buf, "%u\n", conn->tcp_timestamp_stat); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_timestamp_stat); + break; + case ISCSI_PARAM_TCP_NAGLE_DISABLE: +- len = sprintf(buf, "%u\n", conn->tcp_nagle_disable); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_nagle_disable); + break; + case ISCSI_PARAM_TCP_WSF_DISABLE: +- len = sprintf(buf, "%u\n", conn->tcp_wsf_disable); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_wsf_disable); + break; + case ISCSI_PARAM_TCP_TIMER_SCALE: +- len = sprintf(buf, "%u\n", conn->tcp_timer_scale); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_timer_scale); + break; + case ISCSI_PARAM_TCP_TIMESTAMP_EN: +- len = sprintf(buf, "%u\n", conn->tcp_timestamp_en); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_timestamp_en); + break; + case ISCSI_PARAM_IP_FRAGMENT_DISABLE: +- len = sprintf(buf, "%u\n", conn->fragment_disable); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->fragment_disable); + break; + case ISCSI_PARAM_IPV4_TOS: +- len = sprintf(buf, "%u\n", conn->ipv4_tos); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->ipv4_tos); + break; + case ISCSI_PARAM_IPV6_TC: +- len = sprintf(buf, "%u\n", conn->ipv6_traffic_class); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->ipv6_traffic_class); + break; + case ISCSI_PARAM_IPV6_FLOW_LABEL: +- len = sprintf(buf, "%u\n", conn->ipv6_flow_label); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->ipv6_flow_label); + break; + case ISCSI_PARAM_IS_FW_ASSIGNED_IPV6: +- len = sprintf(buf, "%u\n", conn->is_fw_assigned_ipv6); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->is_fw_assigned_ipv6); + break; + case ISCSI_PARAM_TCP_XMIT_WSF: +- len = sprintf(buf, "%u\n", conn->tcp_xmit_wsf); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_xmit_wsf); + break; + case ISCSI_PARAM_TCP_RECV_WSF: +- len = sprintf(buf, "%u\n", conn->tcp_recv_wsf); ++ len = scnprintf(buf, PAGE_SIZE, "%u\n", conn->tcp_recv_wsf); + break; + case ISCSI_PARAM_LOCAL_IPADDR: +- len = sprintf(buf, "%s\n", conn->local_ipaddr); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", conn->local_ipaddr); + break; + default: + return -ENOSYS; +@@ -3600,13 +3600,13 @@ int iscsi_host_get_param(struct Scsi_Host *shost, enum iscsi_host_param param, + + switch (param) { + case ISCSI_HOST_PARAM_NETDEV_NAME: +- len = sprintf(buf, "%s\n", ihost->netdev); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", ihost->netdev); + break; + case ISCSI_HOST_PARAM_HWADDRESS: +- len = sprintf(buf, "%s\n", ihost->hwaddress); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", ihost->hwaddress); + break; + case ISCSI_HOST_PARAM_INITIATOR_NAME: +- len = sprintf(buf, "%s\n", ihost->initiatorname); ++ len = scnprintf(buf, PAGE_SIZE, "%s\n", ihost->initiatorname); + break; + default: + return -ENOSYS; +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 2265611b7e37..f0738bb165f2 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -119,7 +119,11 @@ show_transport_handle(struct device *dev, struct device_attribute *attr, + char *buf) + { + struct iscsi_internal *priv = dev_to_iscsi_internal(dev); +- return sprintf(buf, "%llu\n", (unsigned long long)iscsi_handle(priv->iscsi_transport)); ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EACCES; ++ return scnprintf(buf, PAGE_SIZE, "%llu\n", ++ (unsigned long long)iscsi_handle(priv->iscsi_transport)); + } + static DEVICE_ATTR(handle, S_IRUGO, show_transport_handle, NULL); + +@@ -129,7 +133,7 @@ show_transport_##name(struct device *dev, \ + struct device_attribute *attr,char *buf) \ + { \ + struct iscsi_internal *priv = dev_to_iscsi_internal(dev); \ +- return sprintf(buf, format"\n", priv->iscsi_transport->name); \ ++ return scnprintf(buf, PAGE_SIZE, format"\n", priv->iscsi_transport->name);\ + } \ + static DEVICE_ATTR(name, S_IRUGO, show_transport_##name, NULL); + +@@ -170,7 +174,7 @@ static ssize_t + show_ep_handle(struct device *dev, struct device_attribute *attr, char *buf) + { + struct iscsi_endpoint *ep = iscsi_dev_to_endpoint(dev); +- return sprintf(buf, "%llu\n", (unsigned long long) ep->id); ++ return scnprintf(buf, PAGE_SIZE, "%llu\n", (unsigned long long) ep->id); + } + static ISCSI_ATTR(ep, handle, S_IRUGO, show_ep_handle, NULL); + +@@ -2779,6 +2783,9 @@ iscsi_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) + struct iscsi_cls_session *session; + int err = 0, value = 0; + ++ if (ev->u.set_param.len > PAGE_SIZE) ++ return -EINVAL; ++ + session = iscsi_session_lookup(ev->u.set_param.sid); + conn = iscsi_conn_lookup(ev->u.set_param.sid, ev->u.set_param.cid); + if (!conn || !session) +@@ -2926,6 +2933,9 @@ iscsi_set_host_param(struct iscsi_transport *transport, + if (!transport->set_host_param) + return -ENOSYS; + ++ if (ev->u.set_host_param.len > PAGE_SIZE) ++ return -EINVAL; ++ + shost = scsi_host_lookup(ev->u.set_host_param.host_no); + if (!shost) { + printk(KERN_ERR "set_host_param could not find host no %u\n", +@@ -3495,6 +3505,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + { + int err = 0; + u32 portid; ++ u32 pdu_len; + struct iscsi_uevent *ev = nlmsg_data(nlh); + struct iscsi_transport *transport = NULL; + struct iscsi_internal *priv; +@@ -3502,6 +3513,9 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + struct iscsi_cls_conn *conn; + struct iscsi_endpoint *ep = NULL; + ++ if (!netlink_capable(skb, CAP_SYS_ADMIN)) ++ return -EPERM; ++ + if (nlh->nlmsg_type == ISCSI_UEVENT_PATH_UPDATE) + *group = ISCSI_NL_GRP_UIP; + else +@@ -3607,6 +3621,14 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + err = -EINVAL; + break; + case ISCSI_UEVENT_SEND_PDU: ++ pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev); ++ ++ if ((ev->u.send_pdu.hdr_size > pdu_len) || ++ (ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) { ++ err = -EINVAL; ++ break; ++ } ++ + conn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid); + if (conn) + ev->r.retcode = transport->send_pdu(conn, +@@ -4013,7 +4035,7 @@ show_priv_session_state(struct device *dev, struct device_attribute *attr, + char *buf) + { + struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent); +- return sprintf(buf, "%s\n", iscsi_session_state_name(session->state)); ++ return scnprintf(buf, PAGE_SIZE, "%s\n", iscsi_session_state_name(session->state)); + } + static ISCSI_CLASS_ATTR(priv_sess, state, S_IRUGO, show_priv_session_state, + NULL); +@@ -4022,7 +4044,7 @@ show_priv_session_creator(struct device *dev, struct device_attribute *attr, + char *buf) + { + struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent); +- return sprintf(buf, "%d\n", session->creator); ++ return scnprintf(buf, PAGE_SIZE, "%d\n", session->creator); + } + static ISCSI_CLASS_ATTR(priv_sess, creator, S_IRUGO, show_priv_session_creator, + NULL); +@@ -4031,7 +4053,7 @@ show_priv_session_target_id(struct device *dev, struct device_attribute *attr, + char *buf) + { + struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent); +- return sprintf(buf, "%d\n", session->target_id); ++ return scnprintf(buf, PAGE_SIZE, "%d\n", session->target_id); + } + static ISCSI_CLASS_ATTR(priv_sess, target_id, S_IRUGO, + show_priv_session_target_id, NULL); +@@ -4044,8 +4066,8 @@ show_priv_session_##field(struct device *dev, \ + struct iscsi_cls_session *session = \ + iscsi_dev_to_session(dev->parent); \ + if (session->field == -1) \ +- return sprintf(buf, "off\n"); \ +- return sprintf(buf, format"\n", session->field); \ ++ return scnprintf(buf, PAGE_SIZE, "off\n"); \ ++ return scnprintf(buf, PAGE_SIZE, format"\n", session->field); \ + } + + #define iscsi_priv_session_attr_store(field) \ +-- +2.26.2 + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index e58bfee..11d592f 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.15.2.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 2 +%define rpm_rel 4 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -16,6 +16,10 @@ Source100: tty-Fix-pgrp-locking-in-tiocspgrp.patch # # https://bugzilla.redhat.com/1902568 Source101: target-scsi-Fix-XCOPY-NAA-identifier-lookup.patch +# +# https://bugzilla.redhat.com/1930840 +# https://bugzilla.redhat.com/1930863 +Source102: scsi-iscsi-kpatch-fixes-for-CVE-2021-27364-and-CVE-2.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -148,6 +152,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Fri Mar 26 2021 Joe Lawrence [1-4.el7] +- kernel: out-of-bounds read in libiscsi module [1930840] {CVE-2021-27364} +- kernel: heap buffer overflow in the iSCSI subsystem [1930863] {CVE-2021-27365} + * Tue Feb 09 2021 Artem Savkov [1-2.el7] - SCSI target (LIO) write to any block on ILO backstore [1902568] {CVE-2020-28374}