[Kernel-packages] [Bug 1742480] Re: [Hyper-V] storvsc: do not assume SG list is continuous when doing bounce buffers

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 3.13.0-144.193

---------------
linux (3.13.0-144.193) trusty; urgency=medium

  * linux: 3.13.0-144.193 -proposed tracker (LP: #1755227)

  * CVE-2017-12762
    - isdn/i4l: fix buffer overflow

  * CVE-2017-17807
    - KEYS: add missing permission check for request_key() destination

  * bnx2x_attn_int_deasserted3:4323 MC assert! (LP: #1715519) //
    CVE-2018-1000026
    - net: Add ndo_gso_check
    - net: create skb_gso_validate_mac_len()
    - bnx2x: disable GSO where gso_size is too big for hardware

  * CVE-2017-17448
    - netfilter: nfnetlink_cthelper: Add missing permission checks

  * CVE-2017-11089
    - cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE

  * CVE-2018-5332
    - RDS: Heap OOB write in rds_message_alloc_sgs()

  * ppc64el: Do not call ibm,os-term on panic (LP: #1736954)
    - powerpc: Do not call ppc_md.panic in fadump panic notifier

  * CVE-2017-17805
    - crypto: salsa20 - fix blkcipher_walk API usage

  * [Hyper-V] storvsc: do not assume SG list is continuous when doing bounce
    buffers (LP: #1742480)
    - SAUCE: storvsc: do not assume SG list is continuous when doing bounce
      buffers

  * Shutdown hang on 16.04 with iscsi targets (LP: #1569925)
    - scsi: libiscsi: Allow sd_shutdown on bad transport

  * CVE-2017-17741
    - KVM: Fix stack-out-of-bounds read in write_mmio

  * CVE-2017-5715 (Spectre v2 Intel)
    - [Packaging] pull in retpoline files

 -- Stefan Bader <stefan.ba...@canonical.com>  Thu, 15 Mar 2018 15:08:03
+0100

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11089

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12762

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17448

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17741

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17805

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17807

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000026

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-5332

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1742480

Title:
  [Hyper-V] storvsc: do not assume SG list is continuous when doing
  bounce buffers

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released

Bug description:
  All linux kernels 4.1 and prior use bounce buffers, and there is a
  data corruption vulnerability on Hyper-V without the following patch.

  storvsc checks the SG list for gaps before passing them to Hyper-v device.
  If there are gaps, data is copied to a bounce buffer and a continuous data
  buffer is passed to Hyper-V.

  The check on gaps assumes SG list is continuous, and not chained. This is
  not always true. Failing the check may result in incorrect I/O data
  passed to the Hyper-v device.

  This code path is not used post Linux 4.1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1742480/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp