[linux] 03/03: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Oct 12 23:28:15 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit ae695bc66b682e612fbf854bb3afbee3493c8814
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Oct 13 00:24:49 2016 +0100
scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
---
debian/changelog | 1 +
...-buffer-overflow-in-arcmsr_iop_message_xf.patch | 43 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 45 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 61d6a60..b9639aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -127,6 +127,7 @@ linux (4.7.7-1) UNRELEASED; urgency=medium
[ Ben Hutchings ]
* net: add recursion limit to GRO (CVE-2016-7039)
* posix_acl: Clear SGID bit when setting file permissions (CVE-2016-7097)
+ * scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
-- Ben Hutchings <ben at decadent.org.uk> Tue, 11 Oct 2016 22:43:14 +0100
diff --git a/debian/patches/bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch b/debian/patches/bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
new file mode 100644
index 0000000..07f735f
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
@@ -0,0 +1,43 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Thu, 15 Sep 2016 16:44:56 +0300
+Subject: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
+Origin: https://git.kernel.org/linus/7bc2b55a5c030685b399bb65b6baa9ccc3d1f167
+
+We need to put an upper bound on "user_len" so the memcpy() doesn't
+overflow.
+
+Cc: <stable at vger.kernel.org>
+Reported-by: Marco Grassi <marco.gra at gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Reviewed-by: Tomas Henzl <thenzl at redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
+---
+ drivers/scsi/arcmsr/arcmsr_hba.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
+index 7640498964a5..110eca9eaca0 100644
+--- a/drivers/scsi/arcmsr/arcmsr_hba.c
++++ b/drivers/scsi/arcmsr/arcmsr_hba.c
+@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+ }
+ case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
+ unsigned char *ver_addr;
+- int32_t user_len, cnt2end;
++ uint32_t user_len;
++ int32_t cnt2end;
+ uint8_t *pQbuffer, *ptmpuserbuffer;
+ ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
+ if (!ver_addr) {
+@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+ }
+ ptmpuserbuffer = ver_addr;
+ user_len = pcmdmessagefld->cmdmessage.Length;
++ if (user_len > ARCMSR_API_DATA_BUFLEN) {
++ retvalue = ARCMSR_MESSAGE_FAIL;
++ kfree(ver_addr);
++ goto message_out;
++ }
+ memcpy(ptmpuserbuffer,
+ pcmdmessagefld->messagedatabuffer, user_len);
+ spin_lock_irqsave(&acb->wqbuffer_lock, flags);
diff --git a/debian/patches/series b/debian/patches/series
index 8b43b1c..9110c4e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -116,6 +116,7 @@ bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/net-add-recursion-limit-to-gro.patch
bugfix/all/posix_acl-clear-sgid-bit-when-setting-file-permissio.patch
+bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
# ABI maintenance
debian/i8042-revert-abi-break-in-4.7.3.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list