CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)
This commit is contained in:
Josh Boyer
parent
579e4ff693
commit
96d245ede5
|
|
@ -0,0 +1,42 @@
|
|||
Bugzilla: 1033593
|
||||
Upstream-status: 3.13
|
||||
|
||||
From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001
|
||||
From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
|
||||
Date: Thu, 31 Oct 2013 14:01:02 +0530
|
||||
Subject: [PATCH] aacraid: prevent invalid pointer dereference
|
||||
|
||||
It appears that driver runs into a problem here if fibsize is too small
|
||||
because we allocate user_srbcmd with fibsize size only but later we
|
||||
access it until user_srbcmd->sg.count to copy it over to srbcmd.
|
||||
|
||||
It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
|
||||
structure already includes one sg element and this is not needed for
|
||||
commands without data. So, we would recommend to add the following
|
||||
(instead of test for fibsize == 0).
|
||||
|
||||
Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
|
||||
Reported-by: Nico Golde <nico@ngolde.de>
|
||||
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
drivers/scsi/aacraid/commctrl.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
|
||||
index d85ac1a..fbcd48d 100644
|
||||
--- a/drivers/scsi/aacraid/commctrl.c
|
||||
+++ b/drivers/scsi/aacraid/commctrl.c
|
||||
@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
|
||||
+ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
|
||||
+ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
|
||||
rcode = -EINVAL;
|
||||
goto cleanup;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
|
@ -763,6 +763,9 @@ Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
|
|||
#CVE-2013-6378 rhbz 1033578 1034183
|
||||
Patch25155: libertas-potential-oops-in-debugfs.patch
|
||||
|
||||
#CVE-2013-6380 rhbz 1033593 1034304
|
||||
Patch25156: aacraid-prevent-invalid-pointer-dereference.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1494,6 +1497,9 @@ ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
|
|||
#CVE-2013-6378 rhbz 1033578 1034183
|
||||
ApplyPatch libertas-potential-oops-in-debugfs.patch
|
||||
|
||||
#CVE-2013-6380 rhbz 1033593 1034304
|
||||
ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2298,6 +2304,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Mon Nov 25 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)
|
||||
- CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
|
||||
|
||||
* Sat Nov 23 2013 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
|
|
|
|||
Loading…
Reference in New Issue