CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331)
This commit is contained in:
parent
f9f2d4777c
commit
cfbcfd241e
|
@ -0,0 +1,41 @@
|
|||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: 2016-09-15 13:44:56
|
||||
Subject: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer()
|
||||
|
||||
We need to put an upper bound on "user_len" so the memcpy() doesn't
|
||||
overflow.
|
||||
|
||||
Reported-by: Marco Grassi <marco.gra@gmail.com>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
|
||||
|
||||
diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
|
||||
index 7640498..110eca9 100644
|
||||
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
|
||||
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
|
||||
@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
|
||||
}
|
||||
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
|
||||
unsigned char *ver_addr;
|
||||
- int32_t user_len, cnt2end;
|
||||
+ uint32_t user_len;
|
||||
+ int32_t cnt2end;
|
||||
uint8_t *pQbuffer, *ptmpuserbuffer;
|
||||
ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
|
||||
if (!ver_addr) {
|
||||
@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
|
||||
}
|
||||
ptmpuserbuffer = ver_addr;
|
||||
user_len = pcmdmessagefld->cmdmessage.Length;
|
||||
+ if (user_len > ARCMSR_API_DATA_BUFLEN) {
|
||||
+ retvalue = ARCMSR_MESSAGE_FAIL;
|
||||
+ kfree(ver_addr);
|
||||
+ goto message_out;
|
||||
+ }
|
||||
memcpy(ptmpuserbuffer,
|
||||
pcmdmessagefld->messagedatabuffer, user_len);
|
||||
spin_lock_irqsave(&acb->wqbuffer_lock, flags);
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
@ -643,6 +643,9 @@ Patch863: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch
|
|||
#ongoing complaint, full discussion delayed until ksummit/plumbers
|
||||
Patch864: 0001-iio-Use-event-header-from-kernel-tree.patch
|
||||
|
||||
#CVE-2016-7425 rhbz 1377330 1377331
|
||||
Patch865: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2170,6 +2173,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Sep 19 2016 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331)
|
||||
|
||||
* Thu Sep 15 2016 Laura Abbott <labbott@fedoraproject.org> - 4.7.4-200
|
||||
- Linux v4.7.4
|
||||
|
||||
|
|
Loading…
Reference in New Issue