ACK: [SRU Hirsute, Focal/linux-oem-5.10, Groovy, Focal/linux-oem-5.6, Focal, Bionic 0/4] CVE-2021-27363, CVE-2021-27364, CVE-2021-27365

[Tim Gardner]

Acked-by: Tim Gardner <tim.gardner at canonical.com>

On 3/10/21 7:36 PM, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> Unprivileged users can use the iscsi_transport handle to leak kernel address,
> create/close iscsi sessions, and write out of bonds when reading sysfs iscsi
> attributes.
> 
> [Fix/Backport]
> 3 commits fix the problem, minimal backporting was needed because of missing
> commit 82b8cf40bfe1, but the commit that introduces sysfs_emit was needed from
> 4.15 to 5.8, and needed some context adjustment on 4.15 because of missing
> *change_owner functions.
> 
> [Test case]
> Leaking the address by reading /sys/class/iscsi_transport/tcp/handle was not
> possible anymore. Also, creating a session also failed, and even as root,
> setting a name larger than PAGE_SIZE failed.
> 
> [Potential regression]
> iscsi users could fail to operate as unprivileged users.
> 
> Chris Leech (2):
>    scsi: iscsi: Verify lengths on passthrough PDUs
>    scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE
> 
> Joe Perches (1):
>    sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
> 
> Lee Duncan (1):
>    scsi: iscsi: Restrict sessions and handles to admin capabilities
> 
>   Documentation/filesystems/sysfs.txt |   8 +-
>   drivers/scsi/libiscsi.c             | 148 ++++++++++++++--------------
>   drivers/scsi/scsi_transport_iscsi.c |  39 ++++++--
>   fs/sysfs/file.c                     |  55 +++++++++++
>   include/linux/sysfs.h               |  16 +++
>   5 files changed, 178 insertions(+), 88 deletions(-)
> 

-- 
-----------
Tim Gardner
Canonical, Inc