diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-10-27 07:52:42 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-10-27 07:52:42 +0200 |
commit | 6ef1f900ea30dc8e92ee3ae82be1594e4e010490 (patch) | |
tree | a13a91c5e77a65c619597f9aadf74e87c0db7f26 | |
parent | 4344260fa35e3ab0e1c159e8e15554d2e4ffec32 (diff) | |
parent | 0cd242c3d5eb80345344f6d7daee9283be22f2db (diff) | |
download | kernel-6ef1f900ea30dc8e92ee3ae82be1594e4e010490.tar.gz kernel-6ef1f900ea30dc8e92ee3ae82be1594e4e010490.tar.xz kernel-6ef1f900ea30dc8e92ee3ae82be1594e4e010490.zip |
Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.7.10-100.vanilla.knurd.1.fc23
-rw-r--r-- | arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch | 41 | ||||
-rw-r--r-- | kernel.spec | 8 | ||||
-rw-r--r-- | sources | 2 |
3 files changed, 5 insertions, 46 deletions
diff --git a/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch deleted file mode 100644 index 81ed8814d..000000000 --- a/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: 2016-09-15 13:44:56 -Subject: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer() - -We need to put an upper bound on "user_len" so the memcpy() doesn't -overflow. - -Reported-by: Marco Grassi <marco.gra@gmail.com> -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Reviewed-by: Tomas Henzl <thenzl@redhat.com> - -diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c -index 7640498..110eca9 100644 ---- a/drivers/scsi/arcmsr/arcmsr_hba.c -+++ b/drivers/scsi/arcmsr/arcmsr_hba.c -@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, - } - case ARCMSR_MESSAGE_WRITE_WQBUFFER: { - unsigned char *ver_addr; -- int32_t user_len, cnt2end; -+ uint32_t user_len; -+ int32_t cnt2end; - uint8_t *pQbuffer, *ptmpuserbuffer; - ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); - if (!ver_addr) { -@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, - } - ptmpuserbuffer = ver_addr; - user_len = pcmdmessagefld->cmdmessage.Length; -+ if (user_len > ARCMSR_API_DATA_BUFLEN) { -+ retvalue = ARCMSR_MESSAGE_FAIL; -+ kfree(ver_addr); -+ goto message_out; -+ } - memcpy(ptmpuserbuffer, - pcmdmessagefld->messagedatabuffer, user_len); - spin_lock_irqsave(&acb->wqbuffer_lock, flags); --- -To unsubscribe from this list: send the line "unsubscribe linux-scsi" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index e571eafb9..8c107da3f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -60,7 +60,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -655,9 +655,6 @@ Patch863: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch #ongoing complaint, full discussion delayed until ksummit/plumbers Patch864: 0001-iio-Use-event-header-from-kernel-tree.patch -#CVE-2016-7425 rhbz 1377330 1377331 -Patch865: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch - # END OF PATCH DEFINITIONS %endif @@ -2183,6 +2180,9 @@ fi # # %changelog +* Wed Oct 26 2016 Laura Abbott <labbott@redhat.com> - 4.7.10-100 +- Linux v4.7.10 + * Thu Oct 20 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.7.9-100 - Linux v4.7.9 - CVE-2016-5195 (rhbz 1384344 1387080) @@ -1,3 +1,3 @@ 5276563eb1f39a048e4a8a887408c031 linux-4.7.tar.xz fe259c02c75eec61d1aa4b1211f3c853 perf-man-4.7.tar.gz -28f6b3a4bf77710cbffbee17afcf7ae2 patch-4.7.9.xz +b9fd64120635788b6219f82392cedcb9 patch-4.7.10.xz |