diff --git a/debian/changelog b/debian/changelog index 23e994566..c65dce729 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ linux (4.12.12-3) UNRELEASED; urgency=medium * sctp: Avoid out-of-bounds reads from address storage (CVE-2017-7558) + * scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051) -- Salvatore Bonaccorso Thu, 14 Sep 2017 06:25:04 +0200 diff --git a/debian/patches/bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch b/debian/patches/bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch new file mode 100644 index 000000000..7359feaaf --- /dev/null +++ b/debian/patches/bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch @@ -0,0 +1,64 @@ +From: Dan Carpenter +Date: Wed, 30 Aug 2017 16:30:35 +0300 +Subject: scsi: qla2xxx: Fix an integer overflow in sysfs code +Origin: https://git.kernel.org/linus/e6f77540c067b48dee10f1e33678415bfcc89017 +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=194061 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14051 + +The value of "size" comes from the user. When we add "start + size" it +could lead to an integer overflow bug. + +It means we vmalloc() a lot more memory than we had intended. I believe +that on 64 bit systems vmalloc() can succeed even if we ask it to +allocate huge 4GB buffers. So we would get memory corruption and likely +a crash when we call ha->isp_ops->write_optrom() and ->read_optrom(). + +Only root can trigger this bug. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061 + +Cc: +Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.") +Reported-by: shqking +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +--- + drivers/scsi/qla2xxx/qla_attr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index 08a1feb3a195..8c6ff1682fb1 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -318,6 +318,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + return -EINVAL; + if (start > ha->optrom_size) + return -EINVAL; ++ if (size > ha->optrom_size - start) ++ size = ha->optrom_size - start; + + mutex_lock(&ha->optrom_mutex); + switch (val) { +@@ -343,8 +345,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size > ha->optrom_size ? +- ha->optrom_size - start : size; ++ ha->optrom_region_size = start + size; + + ha->optrom_state = QLA_SREADING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +@@ -417,8 +418,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size > ha->optrom_size ? +- ha->optrom_size - start : size; ++ ha->optrom_region_size = start + size; + + ha->optrom_state = QLA_SWRITING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index 1034c8917..957d7d9f1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -121,6 +121,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch +bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch