diff options
author | Justin M. Forbes <jforbes@redhat.com> | 2016-09-19 09:36:29 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@redhat.com> | 2016-09-19 09:36:29 -0500 |
commit | cfbcfd241e72408a294c88c57a489379fcc205ca (patch) | |
tree | 18d9b668a4535720b033df304b5e5ba73c6ea8c3 | |
parent | f9f2d4777c0125c02e2bafa7175767278a129446 (diff) | |
download | kernel-cfbcfd241e72408a294c88c57a489379fcc205ca.tar.gz kernel-cfbcfd241e72408a294c88c57a489379fcc205ca.tar.xz kernel-cfbcfd241e72408a294c88c57a489379fcc205ca.zip |
CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331)
-rw-r--r-- | arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch | 41 | ||||
-rw-r--r-- | kernel.spec | 6 |
2 files changed, 47 insertions, 0 deletions
diff --git a/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch new file mode 100644 index 000000000..81ed8814d --- /dev/null +++ b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch @@ -0,0 +1,41 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: 2016-09-15 13:44:56 +Subject: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer() + +We need to put an upper bound on "user_len" so the memcpy() doesn't +overflow. + +Reported-by: Marco Grassi <marco.gra@gmail.com> +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Tomas Henzl <thenzl@redhat.com> + +diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c +index 7640498..110eca9 100644 +--- a/drivers/scsi/arcmsr/arcmsr_hba.c ++++ b/drivers/scsi/arcmsr/arcmsr_hba.c +@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, + } + case ARCMSR_MESSAGE_WRITE_WQBUFFER: { + unsigned char *ver_addr; +- int32_t user_len, cnt2end; ++ uint32_t user_len; ++ int32_t cnt2end; + uint8_t *pQbuffer, *ptmpuserbuffer; + ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); + if (!ver_addr) { +@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, + } + ptmpuserbuffer = ver_addr; + user_len = pcmdmessagefld->cmdmessage.Length; ++ if (user_len > ARCMSR_API_DATA_BUFLEN) { ++ retvalue = ARCMSR_MESSAGE_FAIL; ++ kfree(ver_addr); ++ goto message_out; ++ } + memcpy(ptmpuserbuffer, + pcmdmessagefld->messagedatabuffer, user_len); + spin_lock_irqsave(&acb->wqbuffer_lock, flags); +-- +To unsubscribe from this list: send the line "unsubscribe linux-scsi" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index 268e381db..c061f6fce 100644 --- a/kernel.spec +++ b/kernel.spec @@ -643,6 +643,9 @@ Patch863: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch #ongoing complaint, full discussion delayed until ksummit/plumbers Patch864: 0001-iio-Use-event-header-from-kernel-tree.patch +#CVE-2016-7425 rhbz 1377330 1377331 +Patch865: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch + # END OF PATCH DEFINITIONS %endif @@ -2170,6 +2173,9 @@ fi # # %changelog +* Mon Sep 19 2016 Justin M. Forbes <jforbes@fedoraproject.org> +- CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331) + * Thu Sep 15 2016 Laura Abbott <labbott@fedoraproject.org> - 4.7.4-200 - Linux v4.7.4 |