From: Dave Carroll <david.carroll@microsemi.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>
Cc: <aacraid@microsemi.com>, <wpengfeinudt@gmail.com>,
<scott.banesh@microsemi.com>,
Dave Carroll <david.carroll@microsemi.com>,
Linux-SCSI <linux-scsi@vger.kernel.org>,
Johannes Thumshurn <jthumshirn@suse.de>, <stable@vger.kernel.org>
Subject: [PATCH] aacraid: Check size values after double-fetch from user
Date: Fri, 5 Aug 2016 13:31:24 -0600 [thread overview]
Message-ID: <20160805193124.6318-1-david.carroll@microsemi.com> (raw)
In aacraid's ioctl_send_fib() we do two fetches from userspace, one
the get the fib header's size and one for the fib itself. Later we use
the size field from the second fetch to further process the fib. If
for some reason the size from the second fetch is different than from
the first fix, we may encounter an out-of- bounds access in
aac_fib_send(). We also check the sender size to insure it is not
out of bounds. This was reported in
https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned
CVE- 2016-6480.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Cc: stable@vger.kernel.org
Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
---
drivers/scsi/aacraid/commctrl.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index b381b37..eadca7b 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
struct fib *fibptr;
struct hw_fib * hw_fib = (struct hw_fib *)0;
dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
- unsigned size;
+ unsigned size, osize;
int retval;
if (dev->in_reset) {
@@ -87,7 +87,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
* will not overrun the buffer when we copy the memory. Return
* an error if we would.
*/
- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
+ osize = size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
if (size < le16_to_cpu(kfib->header.SenderSize))
size = le16_to_cpu(kfib->header.SenderSize);
if (size > dev->max_fib_size) {
@@ -117,6 +117,13 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
retval = -EFAULT;
goto cleanup;
}
+
+ /* Sanity check the second copy */
+ if ((osize != le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr))
+ || (size < le16_to_cpu(kfib->header.SenderSize))) {
+ retval = -EINVAL;
+ goto cleanup;
+ }
if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
aac_adapter_interrupt(dev);
--
2.8.3
reply other threads:[~2016-08-05 19:46 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160805193124.6318-1-david.carroll@microsemi.com \
--to=david.carroll@microsemi.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=aacraid@microsemi.com \
--cc=jthumshirn@suse.de \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=scott.banesh@microsemi.com \
--cc=stable@vger.kernel.org \
--cc=wpengfeinudt@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).