diff options
author | Justin M. Forbes <jforbes@redhat.com> | 2017-08-31 09:21:17 -0400 |
---|---|---|
committer | Justin M. Forbes <jforbes@redhat.com> | 2017-08-31 09:21:17 -0400 |
commit | 5457b855569a2bb5300e37ab87407e6599b54340 (patch) | |
tree | 9b1d4091f4d46d582549ac897c4a440c34345c6f | |
parent | 2ef60f262b94d91a30e6ce803be853099752d2f2 (diff) | |
download | kernel-5457b855569a2bb5300e37ab87407e6599b54340.tar.gz kernel-5457b855569a2bb5300e37ab87407e6599b54340.tar.xz kernel-5457b855569a2bb5300e37ab87407e6599b54340.zip |
Fix CVE-2017-14051 (rhbz 1487126 1487127)
-rw-r--r-- | kernel.spec | 8 | ||||
-rw-r--r-- | v2-scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch | 67 |
2 files changed, 74 insertions, 1 deletions
diff --git a/kernel.spec b/kernel.spec index 6aaba08ea..cea95741c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -690,6 +690,9 @@ Patch715: acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch # rhbz 1484587 Patch716: md-raid-reset-bio-allocated-from-mempool.patch +# CVE-2017-14051 rhbz 1487126 1487127 +Patch717: v2-scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch + # END OF PATCH DEFINITIONS %endif @@ -2264,7 +2267,10 @@ fi # # %changelog -* Wed Aug 30 2017 Justin M. Forbes <jforbes@redhat.com> - 4.12.10-300 +* Thu Aug 31 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.10-300 +- Fix CVE-2017-14051 (rhbz 1487126 1487127) + +* Wed Aug 30 2017 Justin M. Forbes <jforbes@redhat.com> - Linux v4.12.10 - Fix for CVE-2017-13693 (rhbz 1485346 1485356) - Fix for CVE-2017-13694 (rhbz 1485348) diff --git a/v2-scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch b/v2-scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch new file mode 100644 index 000000000..6850c0ca2 --- /dev/null +++ b/v2-scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch @@ -0,0 +1,67 @@ +From patchwork Wed Aug 30 13:30:35 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [v2] scsi: qla2xxx: Fix an integer overflow in sysfs code +From: Dan Carpenter <dan.carpenter@oracle.com> +X-Patchwork-Id: 9929625 +Message-Id: <20170830133035.nbkiled5hhdt26ui@mwanda> +To: qla2xxx-upstream@qlogic.com, shqking <shqking@gmail.com>, + Joe Carnuccio <joe.carnuccio@qlogic.com> +Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>, + "Martin K. Petersen" <martin.petersen@oracle.com>, + linux-scsi@vger.kernel.org, security@kernel.org +Date: Wed, 30 Aug 2017 16:30:35 +0300 + +The value of "size" comes from the user. When we add "start + size" +it could lead to an integer overflow bug. + +It means we vmalloc() a lot more memory than we had intended. I believe +that on 64 bit systems vmalloc() can succeed even if we ask it to +allocate huge 4GB buffers. So we would get memory corruption and likely +a crash when we call ha->isp_ops->write_optrom() and ->read_optrom(). + +Only root can trigger this bug. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061 + +Cc: stable@vger.kernel.org +Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.") +Reported-by: shqking <shqking@gmail.com> +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +--- +v2: Add stable and the URL for bugzila + +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index 75c4b312645e..9ce28c4f9812 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -318,6 +318,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + return -EINVAL; + if (start > ha->optrom_size) + return -EINVAL; ++ if (size > ha->optrom_size - start) ++ size = ha->optrom_size - start; + + mutex_lock(&ha->optrom_mutex); + switch (val) { +@@ -343,8 +345,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size > ha->optrom_size ? +- ha->optrom_size - start : size; ++ ha->optrom_region_size = start + size; + + ha->optrom_state = QLA_SREADING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +@@ -417,8 +418,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size > ha->optrom_size ? +- ha->optrom_size - start : size; ++ ha->optrom_region_size = start + size; + + ha->optrom_state = QLA_SWRITING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); |