Ubuntu
linux package

[Hyper-V] storvsc: do not assume SG list is continuous when doing bounce buffers

Bug #1742480 reported by Joshua R. Poulson on 2018-01-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Unassigned
	Trusty	Fix Released	High	Marcelo Cerri

Bug Description

All linux kernels 4.1 and prior use bounce buffers, and there is a data corruption vulnerability on Hyper-V without the following patch.

storvsc checks the SG list for gaps before passing them to Hyper-v device.
If there are gaps, data is copied to a bounce buffer and a continuous data
buffer is passed to Hyper-V.

The check on gaps assumes SG list is continuous, and not chained. This is
not always true. Failing the check may result in incorrect I/O data
passed to the Hyper-v device.

This code path is not used post Linux 4.1.

Tags:

CVE References

Revision history for this message

Joshua R. Poulson (jrp) wrote on 2018-01-10:

0001-storvsc-do-not-assume-SG-list-is-continuous-when-doing-bounce-buffers.patch Edit (1.5 KiB, text/x-diff)

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2018-01-10: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1742480

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Revision history for this message

Leann Ogasawara (leannogasawara) wrote on 2018-01-10:

Based on the note that "This code path is not used post Linux 4.1", Xenial 16.04 and newer releases should not be impacted. This would only need to be considered for the v3.13 based Trusty 14.04 kernel. Will fix up the nominations accordingly. Thanks.

Leann Ogasawara (leannogasawara) on 2018-01-10

Changed in linux (Ubuntu Trusty):
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Marcelo Cerri (mhcerri)
Changed in linux (Ubuntu):
status:	Incomplete → Fix Released

Revision history for this message

Marcelo Cerri (mhcerri) wrote on 2018-01-30:

https://lists.ubuntu.com/archives/kernel-team/2018-January/089675.html

Khaled El Mously (kmously) on 2018-02-04

Changed in linux (Ubuntu Trusty):
status:	Triaged → Fix Committed

Revision history for this message

Stefan Bader (smb) wrote on 2018-03-19:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-trusty

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-04-04:

This bug was fixed in the package linux - 3.13.0-144.193

---------------
linux (3.13.0-144.193) trusty; urgency=medium

* linux: 3.13.0-144.193 -proposed tracker (LP: #1755227)

* CVE-2017-12762
- isdn/i4l: fix buffer overflow

* CVE-2017-17807
- KEYS: add missing permission check for request_key() destination

  * bnx2x_attn_int_deasserted3:4323 MC assert! (LP: #1715519) //
    CVE-2018-1000026
    - net: Add ndo_gso_check
    - net: create skb_gso_validate_mac_len()
    - bnx2x: disable GSO where gso_size is too big for hardware

* CVE-2017-17448
- netfilter: nfnetlink_cthelper: Add missing permission checks

* CVE-2017-11089
- cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE

* CVE-2018-5332
- RDS: Heap OOB write in rds_message_alloc_sgs()

* ppc64el: Do not call ibm,os-term on panic (LP: #1736954)
- powerpc: Do not call ppc_md.panic in fadump panic notifier

* CVE-2017-17805
- crypto: salsa20 - fix blkcipher_walk API usage

  * [Hyper-V] storvsc: do not assume SG list is continuous when doing bounce
    buffers (LP: #1742480)
    - SAUCE: storvsc: do not assume SG list is continuous when doing bounce
      buffers

* Shutdown hang on 16.04 with iscsi targets (LP: #1569925)
- scsi: libiscsi: Allow sd_shutdown on bad transport

* CVE-2017-17741
- KVM: Fix stack-out-of-bounds read in write_mmio

* CVE-2017-5715 (Spectre v2 Intel)
- [Packaging] pull in retpoline files

-- Stefan Bader <email address hidden> Thu, 15 Mar 2018 15:08:03 +0100

Changed in linux (Ubuntu Trusty):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

0001-storvsc-do-not-assume-SG-list-is-continuous-when-doing-bounce-buffers.patch Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

[Hyper-V] storvsc: do not assume SG list is continuous when doing bounce buffers

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package