Fix CVE-2017-14051 (rhbz 1487126 1487127)

2 files changed, 74 insertions, 1 deletions

diff --git a/kernel.spec b/kernel.spec
index 6aaba08ea..cea95741c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -690,6 +690,9 @@ Patch715: acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch
 # rhbz 1484587
 Patch716: md-raid-reset-bio-allocated-from-mempool.patch
 
+# CVE-2017-14051 rhbz 1487126 1487127
+Patch717: v2-scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2264,7 +2267,10 @@ fi
 #
 #
 %changelog
-* Wed Aug 30 2017 Justin M. Forbes <jforbes@redhat.com> - 4.12.10-300
+* Thu Aug 31 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.10-300
+- Fix CVE-2017-14051 (rhbz 1487126 1487127)
+
+* Wed Aug 30 2017 Justin M. Forbes <jforbes@redhat.com>
 - Linux v4.12.10
 - Fix for CVE-2017-13693 (rhbz 1485346 1485356)
 - Fix for CVE-2017-13694 (rhbz 1485348)
diff --git a/v2-scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch b/v2-scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
new file mode 100644
index 000000000..6850c0ca2
--- /dev/null
+++ b/v2-scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
@@ -0,0 +1,67 @@
+From patchwork Wed Aug 30 13:30:35 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [v2] scsi: qla2xxx: Fix an integer overflow in sysfs code
+From: Dan Carpenter <dan.carpenter@oracle.com>
+X-Patchwork-Id: 9929625
+Message-Id: <20170830133035.nbkiled5hhdt26ui@mwanda>
+To: qla2xxx-upstream@qlogic.com, shqking <shqking@gmail.com>,
+ Joe Carnuccio <joe.carnuccio@qlogic.com>
+Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
+ "Martin K. Petersen" <martin.petersen@oracle.com>,
+ linux-scsi@vger.kernel.org, security@kernel.org
+Date: Wed, 30 Aug 2017 16:30:35 +0300
+
+The value of "size" comes from the user.  When we add "start + size"
+it could lead to an integer overflow bug.
+
+It means we vmalloc() a lot more memory than we had intended.  I believe
+that on 64 bit systems vmalloc() can succeed even if we ask it to
+allocate huge 4GB buffers.  So we would get memory corruption and likely
+a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().
+
+Only root can trigger this bug.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061
+
+Cc: stable@vger.kernel.org
+Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
+Reported-by: shqking <shqking@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+---
+v2: Add stable and the URL for bugzila
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index 75c4b312645e..9ce28c4f9812 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -318,6 +318,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ 		return -EINVAL;
+ 	if (start > ha->optrom_size)
+ 		return -EINVAL;
++	if (size > ha->optrom_size - start)
++		size = ha->optrom_size - start;
+ 
+ 	mutex_lock(&ha->optrom_mutex);
+ 	switch (val) {
+@@ -343,8 +345,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ 		}
+ 
+ 		ha->optrom_region_start = start;
+-		ha->optrom_region_size = start + size > ha->optrom_size ?
+-		    ha->optrom_size - start : size;
++		ha->optrom_region_size = start + size;
+ 
+ 		ha->optrom_state = QLA_SREADING;
+ 		ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+@@ -417,8 +418,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ 		}
+ 
+ 		ha->optrom_region_start = start;
+-		ha->optrom_region_size = start + size > ha->optrom_size ?
+-		    ha->optrom_size - start : size;
++		ha->optrom_region_size = start + size;
+ 
+ 		ha->optrom_state = QLA_SWRITING;
+ 		ha->optrom_buffer = vmalloc(ha->optrom_region_size);