APPLIED[G/F/B]: [SRU Hirsute, Focal/linux-oem-5.10, Groovy, Focal/linux-oem-5.6, Focal, Bionic 0/4] CVE-2021-27363, CVE-2021-27364, CVE-2021-27365

Fri Mar 12 01:18:39 UTC 2021

Applied to G/F/B master-next. Thank you! 

-Kelsey

On 2021-03-10 23:36:12 , Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> Unprivileged users can use the iscsi_transport handle to leak kernel address,
> create/close iscsi sessions, and write out of bonds when reading sysfs iscsi
> attributes.
> 
> [Fix/Backport]
> 3 commits fix the problem, minimal backporting was needed because of missing
> commit 82b8cf40bfe1, but the commit that introduces sysfs_emit was needed from
> 4.15 to 5.8, and needed some context adjustment on 4.15 because of missing
> *change_owner functions.
> 
> [Test case]
> Leaking the address by reading /sys/class/iscsi_transport/tcp/handle was not
> possible anymore. Also, creating a session also failed, and even as root,
> setting a name larger than PAGE_SIZE failed.
> 
> [Potential regression]
> iscsi users could fail to operate as unprivileged users.
> 
> Chris Leech (2):
>   scsi: iscsi: Verify lengths on passthrough PDUs
>   scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE
> 
> Joe Perches (1):
>   sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
> 
> Lee Duncan (1):
>   scsi: iscsi: Restrict sessions and handles to admin capabilities
> 
>  Documentation/filesystems/sysfs.txt |   8 +-
>  drivers/scsi/libiscsi.c             | 148 ++++++++++++++--------------
>  drivers/scsi/scsi_transport_iscsi.c |  39 ++++++--
>  fs/sysfs/file.c                     |  55 +++++++++++
>  include/linux/sysfs.h               |  16 +++
>  5 files changed, 178 insertions(+), 88 deletions(-)
> 
> -- 
> 2.27.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team