scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
This commit is contained in:
parent
efccbd4eb2
commit
ae695bc66b
|
@ -127,6 +127,7 @@ linux (4.7.7-1) UNRELEASED; urgency=medium
|
|||
[ Ben Hutchings ]
|
||||
* net: add recursion limit to GRO (CVE-2016-7039)
|
||||
* posix_acl: Clear SGID bit when setting file permissions (CVE-2016-7097)
|
||||
* scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 11 Oct 2016 22:43:14 +0100
|
||||
|
||||
|
|
43
debian/patches/bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
vendored
Normal file
43
debian/patches/bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
vendored
Normal file
|
@ -0,0 +1,43 @@
|
|||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Thu, 15 Sep 2016 16:44:56 +0300
|
||||
Subject: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
|
||||
Origin: https://git.kernel.org/linus/7bc2b55a5c030685b399bb65b6baa9ccc3d1f167
|
||||
|
||||
We need to put an upper bound on "user_len" so the memcpy() doesn't
|
||||
overflow.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Reported-by: Marco Grassi <marco.gra@gmail.com>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
|
||||
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
||||
---
|
||||
drivers/scsi/arcmsr/arcmsr_hba.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
|
||||
index 7640498964a5..110eca9eaca0 100644
|
||||
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
|
||||
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
|
||||
@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
|
||||
}
|
||||
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
|
||||
unsigned char *ver_addr;
|
||||
- int32_t user_len, cnt2end;
|
||||
+ uint32_t user_len;
|
||||
+ int32_t cnt2end;
|
||||
uint8_t *pQbuffer, *ptmpuserbuffer;
|
||||
ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
|
||||
if (!ver_addr) {
|
||||
@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
|
||||
}
|
||||
ptmpuserbuffer = ver_addr;
|
||||
user_len = pcmdmessagefld->cmdmessage.Length;
|
||||
+ if (user_len > ARCMSR_API_DATA_BUFLEN) {
|
||||
+ retvalue = ARCMSR_MESSAGE_FAIL;
|
||||
+ kfree(ver_addr);
|
||||
+ goto message_out;
|
||||
+ }
|
||||
memcpy(ptmpuserbuffer,
|
||||
pcmdmessagefld->messagedatabuffer, user_len);
|
||||
spin_lock_irqsave(&acb->wqbuffer_lock, flags);
|
|
@ -116,6 +116,7 @@ bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/net-add-recursion-limit-to-gro.patch
|
||||
bugfix/all/posix_acl-clear-sgid-bit-when-setting-file-permissio.patch
|
||||
bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
|
||||
|
||||
# ABI maintenance
|
||||
debian/i8042-revert-abi-break-in-4.7.3.patch
|
||||
|
|
Loading…
Reference in New Issue