aacraid driver may return uninitialized stack data to userspace

Bug #1700077 reported by Seth Forshee on 2017-06-23
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Seth Forshee
Seth Forshee

Bug Description

SRU Justification

Impact: Recent aacraid backports introduce potential information leaks, where some stack allocated memory may be copied to userspace without initialization.

Fix: Clear out the affected memory before using it to ensure that none is left uninitialized.

Test Case: None. Code review should be sufficient to validate the changes.

Regression Potential: Negligible. The patch simply memsets some structs to clear them out prior to any other use.


aac_send_raw_srb() and aac_get_hba_info() both copy the contents of stack variables to userspace when some of this memory may be uninitialized. The memory should be zeroed out initially to prevent this.

Seth Forshee (sforshee) wrote :

Note that this bug also exists upstream.

Changed in linux (Ubuntu):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu Zesty):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → Medium
status: New → In Progress
Seth Forshee (sforshee) on 2017-06-23
description: updated
Seth Forshee (sforshee) wrote :

http://<email address hidden>

Seth Forshee (sforshee) on 2017-06-23
description: updated
Seth Forshee (sforshee) wrote :

Applied to artful/master-next and unstable/master. Patch sent for zesty:


Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Zesty):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-zesty' to 'verification-done-zesty'. If the problem still exists, change the tag 'verification-needed-zesty' to 'verification-failed-zesty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-zesty
Launchpad Janitor (janitor) wrote :
Download full text (4.0 KiB)

This bug was fixed in the package linux - 4.11.0-10.15

linux (4.11.0-10.15) artful; urgency=low

  * linux: 4.11.0-10.15 -proposed tracker (LP: #1701271)

  * Artful update to v4.11.8 stable release (LP: #1701269)
    - clk: sunxi-ng: a31: Correct lcd1-ch1 clock register offset
    - clk: sunxi-ng: v3s: Fix usb otg device reset bit
    - clk: sunxi-ng: sun5i: Fix ahb_bist_clk definition
    - xen/blkback: fix disconnect while I/Os in flight
    - xen-blkback: don't leak stack data via response ring
    - ALSA: firewire-lib: Fix stall of process context at packet error
    - ALSA: pcm: Don't treat NULL chmap as a fatal error
    - ALSA: hda - Add Coffelake PCI ID
    - ALSA: hda - Apply quirks to Broxton-T, too
    - fs/exec.c: account for argv/envp pointers
    - powerpc/perf: Fix oops when kthread execs user process
    - autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL
    - fs/dax.c: fix inefficiency in dax_writeback_mapping_range()
    - lib/cmdline.c: fix get_options() overflow while parsing ranges
    - perf/x86/intel: Add 1G DTLB load/store miss support for SKL
    - perf probe: Fix probe definition for inlined functions
    - KVM: x86: fix singlestepping over syscall
    - KVM: MIPS: Fix maybe-uninitialized build failure
    - KVM: s390: gaccess: fix real-space designation asce handling for gmap
    - KVM: PPC: Book3S HV: Cope with host using large decrementer mode
    - KVM: PPC: Book3S HV: Preserve userspace HTM state properly
    - KVM: PPC: Book3S HV: Ignore timebase offset on POWER9 DD1
    - KVM: PPC: Book3S HV: Context-switch EBB registers properly
    - KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit
    - KVM: PPC: Book3S HV: Save/restore host values of debug registers
    - CIFS: Improve readdir verbosity
    - CIFS: Fix some return values in case of error in 'crypt_message'
    - cxgb4: notify uP to route ctrlq compl to rdma rspq
    - HID: Add quirk for Dell PIXART OEM mouse
    - random: silence compiler warnings and fix race
    - signal: Only reschedule timers on signals timers have sent
    - powerpc/kprobes: Pause function_graph tracing during jprobes handling
    - powerpc/64s: Handle data breakpoints in Radix mode
    - Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list
    - brcmfmac: add parameter to pass error code in firmware callback
    - brcmfmac: use firmware callback upon failure to load
    - brcmfmac: unbind all devices upon failure in firmware callback
    - time: Fix clock->read(clock) race around clocksource changes
    - time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting
    - arm64/vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW
    - target: Fix kref->refcount underflow in transport_cmd_finish_abort
    - iscsi-target: Fix delayed logout processing greater than
    - iscsi-target: Reject immediate data underflow larger than SCSI transfer
    - drm/radeon: add a PX quirk for another K53TK variant
    - drm/radeon: add a quirk for Toshiba Satellite L20-183
    - drm/amdgpu/atom: fix ps allocation size for EnableDispPowerGating
    - drm/amdgpu: adjust default display clock


Changed in linux (Ubuntu):
status: Fix Committed → Fix Released

Due to the nature of the issue, verification is not needed so setting the tag to verification-done-zesty.

tags: added: verification-done-zesty
removed: verification-needed-zesty
Launchpad Janitor (janitor) wrote :
Download full text (8.1 KiB)

This bug was fixed in the package linux - 4.10.0-28.32

linux (4.10.0-28.32) zesty; urgency=low

  * linux: 4.10.0-28.32 -proposed tracker (LP: #1701013)

  * KILLER1435-S[0489:e0a2] BT cannot search BT 4.0 device (LP: #1699651)
    - Bluetooth: btusb: Add support for 0489:e0a2 QCA_ROME device

  * aacraid driver may return uninitialized stack data to userspace
    (LP: #1700077)
    - SAUCE: scsi: aacraid: Don't copy uninitialized stack memory to userspace

  * CVE-2017-9605
    - drm/vmwgfx: Make sure backup_handle is always valid

  * CVE-2017-1000380
    - ALSA: timer: Fix race between read and ioctl
    - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT

  * XDP eBPF programs fail to verify on Zesty ppc64el (LP: #1699627)
    - [Config] ppc64el: build for Power8 not Power7

  * AACRAID for power9 platform (LP: #1689980)
    - scripts/spelling.txt: add "therfore" pattern and fix typo instances
    - scsi: aacraid: fix PCI error recovery path
    - scsi: aacraid: pci_alloc_consistent() failures on ARM64
    - scsi: aacraid: Remove __GFP_DMA for raw srb memory
    - scsi: aacraid: Fix DMAR issues with iommu=pt
    - scsi: aacraid: Added 32 and 64 queue depth for arc natives
    - scsi: aacraid: Set correct Queue Depth for HBA1000 RAW disks
    - scsi: aacraid: Remove reset support from check_health
    - scsi: aacraid: Change wait time for fib completion
    - scsi: aacraid: Log count info of scsi cmds before reset
    - scsi: aacraid: Print ctrl status before eh reset
    - scsi: aacraid: Using single reset mask for IOP reset
    - scsi: aacraid: Rework IOP reset
    - scsi: aacraid: Add periodic checks to see IOP reset status
    - scsi: aacraid: Rework SOFT reset code
    - scsi: aacraid: Rework aac_src_restart
    - scsi: aacraid: Use correct function to get ctrl health
    - scsi: aacraid: Make sure ioctl returns on controller reset
    - scsi: aacraid: Enable ctrl reset for both hba and arc
    - scsi: aacraid: Add reset debugging statements
    - scsi: aacraid: Remove reference to Series-9
    - scsi: aacraid: Update driver version to 50834

  * arm64 kernel crashdump support (LP: #1694859)
    - memblock: add memblock_clear_nomap()
    - memblock: add memblock_cap_memory_range()
    - arm64: limit memory regions based on DT property, usable-memory-range
    - arm64: kdump: reserve memory for crash dump kernel
    - arm64: mm: add set_memory_valid()
    - arm64: mm: use phys_addr_t instead of unsigned long in __map_memblock
    - arm64: kdump: protect crash dump kernel memory
    - arm64: hibernate: preserve kdump image around hibernation
    - arm64: kdump: implement machine_crash_shutdown()
    - arm64: kdump: add VMCOREINFO's for user-space tools
    - [Config] CONFIG_CRASH_DUMP=y on arm64
    - arm64: kdump: provide /proc/vmcore file
    - Documentation: kdump: describe arm64 port
    - Documentation: dt: chosen properties for arm64 kdump
    - efi/libstub/arm*: Set default address and size cells values for an empty dtb

  * hibmc driver does not include "pci:" prefix in bus ID (LP: #1698700)
    - SAUCE: drm: hibmc: Use set_busid function from drm core

  * Processes in "D" state due to za...


Changed in linux (Ubuntu Zesty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers