debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)

This commit is contained in:
Ben Hutchings 2016-10-13 00:24:49 +01:00
parent efccbd4eb2
commit ae695bc66b
3 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/changelog vendored
View File

@ -127,6 +127,7 @@ linux (4.7.7-1) UNRELEASED; urgency=medium
[ Ben Hutchings ]
* net: add recursion limit to GRO (CVE-2016-7039)
* posix_acl: Clear SGID bit when setting file permissions (CVE-2016-7097)
* scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
-- Ben Hutchings <ben@decadent.org.uk> Tue, 11 Oct 2016 22:43:14 +0100

43
debian/patches/bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch vendored Normal file
View File

@ -0,0 +1,43 @@
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 15 Sep 2016 16:44:56 +0300
Subject: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
Origin: https://git.kernel.org/linus/7bc2b55a5c030685b399bb65b6baa9ccc3d1f167
We need to put an upper bound on "user_len" so the memcpy() doesn't
overflow.
Cc: <stable@vger.kernel.org>
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---
drivers/scsi/arcmsr/arcmsr_hba.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
index 7640498964a5..110eca9eaca0 100644
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
}
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
unsigned char *ver_addr;
- int32_t user_len, cnt2end;
+ uint32_t user_len;
+ int32_t cnt2end;
uint8_t *pQbuffer, *ptmpuserbuffer;
ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
if (!ver_addr) {
@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
}
ptmpuserbuffer = ver_addr;
user_len = pcmdmessagefld->cmdmessage.Length;
+ if (user_len > ARCMSR_API_DATA_BUFLEN) {
+ retvalue = ARCMSR_MESSAGE_FAIL;
+ kfree(ver_addr);
+ goto message_out;
+ }
memcpy(ptmpuserbuffer,
pcmdmessagefld->messagedatabuffer, user_len);
spin_lock_irqsave(&acb->wqbuffer_lock, flags);

1
debian/patches/series vendored
View File

@ -116,6 +116,7 @@ bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/net-add-recursion-limit-to-gro.patch
bugfix/all/posix_acl-clear-sgid-bit-when-setting-file-permissio.patch
bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
# ABI maintenance
debian/i8042-revert-abi-break-in-4.7.3.patch