940338 – (CVE-2015-5707) VUL-0: CVE-2015-5707: kernel: Integer overflow in SCSI generic driver

Bug 940338 (CVE-2015-5707) - VUL-0: CVE-2015-5707: kernel: Integer overflow in SCSI generic driver

Summary: VUL-0: CVE-2015-5707: kernel: Integer overflow in SCSI generic driver

Status:	RESOLVED FIXED

Alias:	CVE-2015-5707

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/119404/
Whiteboard:	CVSSv2:RedHat:CVE-2015-5707:4.6:(AV:L...
Keywords:

Depends on:
Blocks:	940342
	Show dependency tree / graph

Clone This Bug

Reported:	2015-08-03 10:52 UTC by Johannes Segitz
Modified:	2016-09-07 10:19 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-08-03 10:52:10 UTC

CVE-2015-5707

From: Ben Hutchings

This bug has been present for a long time, probably introduced in Linux
2.6.28 by:

commit 10db10d144c0248f285242f79daf6b9de6b00a62
Author: FUJITA Tomonori <fujita.tomonori () lab ntt co jp>
Date:   Fri Aug 29 12:32:18 2008 +0200

    sg: convert the indirect IO path to use the block layer
    
    This patch converts the indirect IO path (including mmap IO and old
    struct sg_header) to use the block layer functions (blk_get_request,
    blk_execute_rq_nowait, blk_rq_map_user, etc) instead of
    scsi_execute_async().
    
    [Jens: fixed compile error with SCSI logging enabled]
    
    Signed-off-by: FUJITA Tomonori <fujita.tomonori () lab ntt co jp>
    Signed-off-by: Douglas Gilbert <dougg () torque net>
    Cc: Mike Christie <michaelc () cs wisc edu>
    Cc: James Bottomley <James.Bottomley () HansenPartnership com>
    Signed-off-by: Jens Axboe <jens.axboe () oracle com>

It was fixed in Linux 4.1-rc1 by:

commit 451a2886b6bf90e2fb378f7c46c655450fb96e81
Author: Al Viro <viro () zeniv linux org uk>
Date:   Sat Mar 21 20:08:18 2015 -0400

    sg_start_req(): make sure that there's not too many elements in iovec
    
    unfortunately, allowing an arbitrary 16bit value means a possibility of
    overflow in the calculation of total number of pages in bio_map_user_iov() -
    we rely on there being no more than PAGE_SIZE members of sum in the
    first loop there.  If that sum wraps around, we end up allocating
    too small array of pointers to pages and it's easy to overflow it in
    the second loop.
    
    X-Coverup: TINC (and there's no lumber cartel either)
    Cc: stable () vger kernel org # way, way back
    Signed-off-by: Al Viro <viro () zeniv linux org uk>

commit fdc81f45e9f57858da6351836507fbcf1b7583ee
Author: Al Viro <viro () zeniv linux org uk>
Date:   Sat Mar 21 20:25:30 2015 -0400

    sg_start_req(): use import_iovec()
    
    Signed-off-by: Al Viro <viro () zeniv linux org uk>

This has not been included in any stable branches yet.

When backporting the fix to older kernel versions, the second commit
can't be used.  The first commit requires a naming fix-up:
s/MAX_UIOVEC/UIO_MAXIOV/.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5707
http://seclists.org/oss-sec/2015/q3/278

Comment 2 Swamp Workflow Management 2015-08-03 22:00:15 UTC

bugbot adjusting priority

Comment 7 Johannes Thumshirn 2015-08-14 11:50:34 UTC

Fix pushed to cve branches

Comment 11 Swamp Workflow Management 2015-09-02 13:20:08 UTC

SUSE-SU-2015:1478-1: An update that solves 18 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 798406,821931,860593,879878,891087,897995,898693,900881,904671,908870,909477,912916,914742,915200,915517,915577,916010,917093,917830,918333,919007,919018,919463,921769,922583,923245,926240,927257,928801,929148,929283,929360,929525,930284,930934,931474,933429,935705,936831,937032,937986,940338,940398
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9683,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-1805,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3636,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-source-3.0.101-0.7.37.1, kernel-syms-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1

Comment 14 Swamp Workflow Management 2015-09-22 08:24:13 UTC

SUSE-SU-2015:1592-1: An update that solves 14 vulnerabilities and has 45 fixes is now available.

Category: security (important)
Bug References: 851068,867362,873385,883380,886785,894936,915517,917830,919463,920110,920250,920733,921430,923245,924701,925705,925881,925903,926240,926953,927355,927786,929142,929143,930092,930761,930934,931538,932348,932458,933429,933896,933904,933907,933936,934742,934944,935053,935572,935705,935866,935906,936077,936423,936637,936831,936875,936925,937032,937402,937444,937503,937641,937855,939910,939994,940338,940398,942350
CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0777,CVE-2015-1420,CVE-2015-1805,CVE-2015-2150,CVE-2015-2830,CVE-2015-4167,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP3 (src):    kernel-rt-3.0.101.rt130-0.33.40.1, kernel-rt_trace-3.0.101.rt130-0.33.40.1, kernel-source-rt-3.0.101.rt130-0.33.40.1, kernel-syms-rt-3.0.101.rt130-0.33.40.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-rt-3.0.101.rt130-0.33.40.1, kernel-rt_trace-3.0.101.rt130-0.33.40.1

Comment 15 Swamp Workflow Management 2015-10-05 15:26:41 UTC

SUSE-SU-2015:1678-1: An update that solves 15 vulnerabilities and has 67 fixes is now available.

Category: security (moderate)
Bug References: 777565,867362,873385,883380,884333,886785,891116,894936,915517,917830,917968,919463,920016,920110,920250,920733,921430,923002,923245,923431,924701,925705,925881,925903,926240,926953,927355,928988,929076,929142,929143,930092,930934,931620,932350,932458,932882,933429,933721,933896,933904,933907,933936,934944,935053,935055,935572,935705,935866,935906,936077,936095,936118,936423,936637,936831,936875,936921,936925,937032,937256,937402,937444,937503,937641,937855,938485,939910,939994,940338,940398,940925,940966,942204,942305,942350,942367,942404,942605,942688,942938,943477
CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0777,CVE-2015-1420,CVE-2015-1805,CVE-2015-2150,CVE-2015-2830,CVE-2015-4167,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6252
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-65.3
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-default-3.0.101-65.1, kernel-ec2-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-source-3.0.101-65.1, kernel-syms-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    kernel-default-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-source-3.0.101-65.1, kernel-syms-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-default-3.0.101-65.1, kernel-ec2-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1

Comment 16 Swamp Workflow Management 2015-10-29 16:53:57 UTC

openSUSE-SU-2015:1842-1: An update that solves 7 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 919154,926238,937969,938645,939834,940338,941104,941305,941867,942178,944296,947155,951195,951440
CVE References: CVE-2015-0272,CVE-2015-1333,CVE-2015-2925,CVE-2015-3290,CVE-2015-5283,CVE-2015-5707,CVE-2015-7872
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.13.2, cloop-2.639-14.13.2, crash-7.0.8-13.2, hdjmod-1.28-18.14.2, ipset-6.23-13.2, kernel-debug-3.16.7-29.1, kernel-default-3.16.7-29.1, kernel-desktop-3.16.7-29.1, kernel-docs-3.16.7-29.3, kernel-ec2-3.16.7-29.1, kernel-obs-build-3.16.7-29.2, kernel-obs-qa-3.16.7-29.1, kernel-obs-qa-xen-3.16.7-29.1, kernel-pae-3.16.7-29.1, kernel-source-3.16.7-29.1, kernel-syms-3.16.7-29.1, kernel-vanilla-3.16.7-29.1, kernel-xen-3.16.7-29.1, pcfclock-0.44-260.13.2, vhba-kmp-20140629-2.13.2, xen-4.4.2_06-27.2, xtables-addons-2.6-13.2

Comment 17 Swamp Workflow Management 2015-11-24 18:10:35 UTC

SUSE-SU-2015:2084-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 940338,940342,948536,948701
CVE References: CVE-2015-5707,CVE-2015-7613
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_5-3-2.1

Comment 18 Swamp Workflow Management 2015-11-24 18:11:31 UTC

SUSE-SU-2015:2085-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 940338,940342,948536,948701
CVE References: CVE-2015-5707,CVE-2015-7613
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_4-3-2.1

Comment 19 Swamp Workflow Management 2015-11-24 18:12:26 UTC

SUSE-SU-2015:2086-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 940338,940342,948536,948701
CVE References: CVE-2015-5707,CVE-2015-7613
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_7-2-4.1

Comment 20 Swamp Workflow Management 2015-11-24 18:13:18 UTC

SUSE-SU-2015:2087-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 940338,940342,948536,948701
CVE References: CVE-2015-5707,CVE-2015-7613
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_6-2-2.1

Comment 21 Swamp Workflow Management 2015-11-24 18:14:47 UTC

SUSE-SU-2015:2089-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 940338,940342,948536,948701
CVE References: CVE-2015-5707,CVE-2015-7613
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_1-4-2.3

Comment 22 Swamp Workflow Management 2015-11-24 18:15:38 UTC

SUSE-SU-2015:2090-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 940338,940342,948536,948701
CVE References: CVE-2015-5707,CVE-2015-7613
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_3-3-2.1

Comment 23 Swamp Workflow Management 2015-11-24 18:16:30 UTC

SUSE-SU-2015:2091-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 940338,940342,948536,948701
CVE References: CVE-2015-5707,CVE-2015-7613
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_2-4-2.3

Comment 24 Swamp Workflow Management 2015-12-02 14:22:31 UTC

SUSE-SU-2015:2167-1: An update that solves 7 vulnerabilities and has 59 fixes is now available.

Category: security (moderate)
Bug References: 777565,867362,873385,883380,884333,886785,891116,894936,915517,917968,920016,920110,920733,923002,923431,924701,925705,925881,925903,927355,929076,929142,929143,930092,930934,931620,932350,933721,935053,935055,935572,935705,935866,935906,936077,936095,936118,936423,936637,936831,936875,936921,936925,937032,937256,937402,937444,937503,937641,937855,938485,939910,939994,940338,940398,940925,940966,942204,942305,942350,942367,942404,942605,942688,942938,943477
CVE References: CVE-2015-1420,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5697,CVE-2015-5707,CVE-2015-6252
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-45.1, kernel-rt_trace-3.0.101.rt130-45.1, kernel-source-rt-3.0.101.rt130-45.1, kernel-syms-rt-3.0.101.rt130-45.1

Comment 25 Swamp Workflow Management 2016-02-01 15:21:49 UTC

openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1

Comment 29 Swamp Workflow Management 2016-02-25 20:14:42 UTC

SUSE-SU-2016:0585-1: An update that solves 17 vulnerabilities and has 54 fixes is now available.

Category: security (important)
Bug References: 812259,855062,867583,899908,902606,924919,935087,937261,937444,938577,940338,940946,941363,942476,943989,944749,945649,947953,949440,949936,950292,951199,951392,951615,952579,952976,954992,955118,955354,955654,956514,956708,957525,957988,957990,958463,958886,958951,959090,959146,959190,959257,959364,959399,959436,959463,959629,960221,960227,960281,960300,961202,961257,961500,961509,961516,961588,961971,962336,962356,962788,962965,963449,963572,963765,963767,963825,964230,964821,965344,965840
CVE References: CVE-2013-7446,CVE-2015-0272,CVE-2015-5707,CVE-2015-7550,CVE-2015-7799,CVE-2015-8215,CVE-2015-8539,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8569,CVE-2015-8575,CVE-2015-8660,CVE-2015-8767,CVE-2015-8785,CVE-2016-0723,CVE-2016-2069
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.53-60.30.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.53-60.30.2, kernel-obs-build-3.12.53-60.30.2
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.53-60.30.1, kernel-source-3.12.53-60.30.1, kernel-syms-3.12.53-60.30.1, kernel-xen-3.12.53-60.30.1, lttng-modules-2.7.0-3.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.53-60.30.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_3-1-2.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.53-60.30.1, kernel-source-3.12.53-60.30.1, kernel-syms-3.12.53-60.30.1, kernel-xen-3.12.53-60.30.1

Comment 30 Swamp Workflow Management 2016-03-16 14:15:00 UTC

SUSE-SU-2016:0785-1: An update that solves 10 vulnerabilities and has 66 fixes is now available.

Category: security (important)
Bug References: 812259,816099,855062,867583,884701,899908,922071,937444,940338,940946,941363,943989,945219,947953,949752,950292,951155,955308,955654,956084,956514,957525,957986,959090,959146,959257,959463,959629,959709,960174,960227,960458,960561,960629,961257,961500,961509,961516,961588,961658,961971,962336,962356,962788,962965,963193,963449,963572,963746,963765,963767,963825,963960,964201,964730,965199,965344,965830,965840,965891,966026,966094,966278,966437,966471,966693,966864,966910,967802,968018,968074,968206,968230,968234,968253,969112
CVE References: CVE-2013-7446,CVE-2015-5707,CVE-2015-8709,CVE-2015-8767,CVE-2015-8785,CVE-2015-8812,CVE-2016-0723,CVE-2016-0774,CVE-2016-2069,CVE-2016-2384
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    kernel-default-3.12.55-52.42.1
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.55-52.42.2, kernel-obs-build-3.12.55-52.42.2
SUSE Linux Enterprise Server 12 (src):    kernel-default-3.12.55-52.42.1, kernel-source-3.12.55-52.42.1, kernel-syms-3.12.55-52.42.1, kernel-xen-3.12.55-52.42.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.55-52.42.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_12-1-2.1
SUSE Linux Enterprise Desktop 12 (src):    kernel-default-3.12.55-52.42.1, kernel-source-3.12.55-52.42.1, kernel-syms-3.12.55-52.42.1, kernel-xen-3.12.55-52.42.1