CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331)

2016-09-19 09:36:29 -05:00 · 2016-09-19 09:36:29 -05:00 · cfbcfd241e
parent f9f2d4777c
commit cfbcfd241e
2 changed files with 47 additions and 0 deletions
--- a/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch
+++ b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch
@ -0,0 +1,41 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: 2016-09-15 13:44:56
+Subject: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer()
+
+We need to put an upper bound on "user_len" so the memcpy() doesn't
+overflow.
+
+Reported-by: Marco Grassi <marco.gra@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+
+diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
+index 7640498..110eca9 100644
+--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
+@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+ 	}
+ 	case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
+ 		unsigned char *ver_addr;
+-		int32_t user_len, cnt2end;
+		uint32_t user_len;
+		int32_t cnt2end;
+ 		uint8_t *pQbuffer, *ptmpuserbuffer;
+ 		ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
+ 		if (!ver_addr) {
+@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+ 		}
+ 		ptmpuserbuffer = ver_addr;
+ 		user_len = pcmdmessagefld->cmdmessage.Length;
+		if (user_len > ARCMSR_API_DATA_BUFLEN) {
+			retvalue = ARCMSR_MESSAGE_FAIL;
+			kfree(ver_addr);
+			goto message_out;
+		}
+ 		memcpy(ptmpuserbuffer,
+ 			pcmdmessagefld->messagedatabuffer, user_len);
+ 		spin_lock_irqsave(&acb->wqbuffer_lock, flags);
+--
+To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
--- a/kernel.spec
+++ b/kernel.spec
@ -643,6 +643,9 @@ Patch863: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch
 #ongoing complaint, full discussion delayed until ksummit/plumbers
 Patch864: 0001-iio-Use-event-header-from-kernel-tree.patch

+#CVE-2016-7425 rhbz 1377330 1377331
+Patch865: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -2170,6 +2173,9 @@ fi
 #
 # 
 %changelog
+* Mon Sep 19 2016 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331)
+
 * Thu Sep 15 2016 Laura Abbott <labbott@fedoraproject.org> - 4.7.4-200
 - Linux v4.7.4