diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-07-10 14:53:23 +0200 |
|---|---|---|
| committer | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-07-12 11:02:56 +0200 |
| commit | 3de302a44acb21557b88ec1605face714ca669da (patch) | |
| tree | f8c015caf4ae1ae69cd60a567309102760a17cd6 | |
| parent | 76aa6326232ccf2250cc2981fce1715613b071c8 (diff) | |
| download | enea-kernel-cache-3de302a44acb21557b88ec1605face714ca669da.tar.gz | |
scsi: CVE-2018-20836
scsi: libsas: fix a race condition when smp task timeout
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-20836
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=41b5d3eee4af6a4ea488a1735ed82e4e593eec0d
Change-Id: I6bd1bfbad5358379ead43314c780859b1d11e658
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-20836-scsi-libsas-fix-a-race-condition-when-smp-task-timeo.patch | 71 |
2 files changed, 74 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 6259efc..a1c8ba5 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
| @@ -75,3 +75,6 @@ patch CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch | |||
| 75 | 75 | ||
| 76 | #CVEs fixed in 4.9.169: | 76 | #CVEs fixed in 4.9.169: |
| 77 | patch CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch | 77 | patch CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch |
| 78 | |||
| 79 | #CVEs fixed in 4.9.175: | ||
| 80 | patch CVE-2018-20836-scsi-libsas-fix-a-race-condition-when-smp-task-timeo.patch | ||
diff --git a/patches/cve/CVE-2018-20836-scsi-libsas-fix-a-race-condition-when-smp-task-timeo.patch b/patches/cve/CVE-2018-20836-scsi-libsas-fix-a-race-condition-when-smp-task-timeo.patch new file mode 100644 index 0000000..dc9f8f8 --- /dev/null +++ b/patches/cve/CVE-2018-20836-scsi-libsas-fix-a-race-condition-when-smp-task-timeo.patch | |||
| @@ -0,0 +1,71 @@ | |||
| 1 | From 41b5d3eee4af6a4ea488a1735ed82e4e593eec0d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jason Yan <yanaijie@huawei.com> | ||
| 3 | Date: Tue, 25 Sep 2018 10:56:54 +0800 | ||
| 4 | Subject: [PATCH] scsi: libsas: fix a race condition when smp task timeout | ||
| 5 | |||
| 6 | commit b90cd6f2b905905fb42671009dc0e27c310a16ae upstream. | ||
| 7 | |||
| 8 | When the lldd is processing the complete sas task in interrupt and set the | ||
| 9 | task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be | ||
| 10 | triggered at the same time. And smp_task_timedout() will complete the task | ||
| 11 | wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed | ||
| 12 | before lldd end the interrupt process. Thus a use-after-free will happen. | ||
| 13 | |||
| 14 | Fix this by calling the complete() only when SAS_TASK_STATE_DONE is not | ||
| 15 | set. And remove the check of the return value of the del_timer(). Once the | ||
| 16 | LLDD sets DONE, it must call task->done(), which will call | ||
| 17 | smp_task_done()->complete() and the task will be completed and freed | ||
| 18 | correctly. | ||
| 19 | |||
| 20 | CVE: CVE-2018-20836 | ||
| 21 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=41b5d3eee4af6a4ea488a1735ed82e4e593eec0d] | ||
| 22 | |||
| 23 | Reported-by: chenxiang <chenxiang66@hisilicon.com> | ||
| 24 | Signed-off-by: Jason Yan <yanaijie@huawei.com> | ||
| 25 | CC: John Garry <john.garry@huawei.com> | ||
| 26 | CC: Johannes Thumshirn <jthumshirn@suse.de> | ||
| 27 | CC: Ewan Milne <emilne@redhat.com> | ||
| 28 | CC: Christoph Hellwig <hch@lst.de> | ||
| 29 | CC: Tomas Henzl <thenzl@redhat.com> | ||
| 30 | CC: Dan Williams <dan.j.williams@intel.com> | ||
| 31 | CC: Hannes Reinecke <hare@suse.com> | ||
| 32 | Reviewed-by: Hannes Reinecke <hare@suse.com> | ||
| 33 | Reviewed-by: John Garry <john.garry@huawei.com> | ||
| 34 | Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> | ||
| 35 | Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> | ||
| 36 | Cc: Guenter Roeck <linux@roeck-us.net | ||
| 37 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 38 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 39 | --- | ||
| 40 | drivers/scsi/libsas/sas_expander.c | 9 ++++----- | ||
| 41 | 1 file changed, 4 insertions(+), 5 deletions(-) | ||
| 42 | |||
| 43 | diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c | ||
| 44 | index 7be581f7c35d..1a6f65db615e 100644 | ||
| 45 | --- a/drivers/scsi/libsas/sas_expander.c | ||
| 46 | +++ b/drivers/scsi/libsas/sas_expander.c | ||
| 47 | @@ -47,17 +47,16 @@ static void smp_task_timedout(unsigned long _task) | ||
| 48 | unsigned long flags; | ||
| 49 | |||
| 50 | spin_lock_irqsave(&task->task_state_lock, flags); | ||
| 51 | - if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) | ||
| 52 | + if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { | ||
| 53 | task->task_state_flags |= SAS_TASK_STATE_ABORTED; | ||
| 54 | + complete(&task->slow_task->completion); | ||
| 55 | + } | ||
| 56 | spin_unlock_irqrestore(&task->task_state_lock, flags); | ||
| 57 | - | ||
| 58 | - complete(&task->slow_task->completion); | ||
| 59 | } | ||
| 60 | |||
| 61 | static void smp_task_done(struct sas_task *task) | ||
| 62 | { | ||
| 63 | - if (!del_timer(&task->slow_task->timer)) | ||
| 64 | - return; | ||
| 65 | + del_timer(&task->slow_task->timer); | ||
| 66 | complete(&task->slow_task->completion); | ||
| 67 | } | ||
| 68 | |||
| 69 | -- | ||
| 70 | 2.20.1 | ||
| 71 | |||