[linux] 04/04: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Oct 17 18:39:42 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit c39c3f696a0c237ceace0064193fe8da10af63f7
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon Oct 17 19:38:38 2016 +0100
scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
---
debian/changelog | 1 +
...-buffer-overflow-in-arcmsr_iop_message_xf.patch | 41 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 43 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 015a13f..1177e8a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -70,6 +70,7 @@ linux (3.2.82-1) UNRELEASED; urgency=medium
* Bluetooth: Fix potential NULL dereference in RFCOMM bind callback
(CVE-2015-8956)
* KEYS: Fix short sprintf buffer in /proc/keys show function (CVE-2016-7042)
+ * scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 04 Sep 2016 14:08:46 +0100
diff --git a/debian/patches/bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch b/debian/patches/bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
new file mode 100644
index 0000000..572d9ed
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
@@ -0,0 +1,41 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Thu, 15 Sep 2016 16:44:56 +0300
+Subject: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
+Origin: https://git.kernel.org/linus/7bc2b55a5c030685b399bb65b6baa9ccc3d1f167
+
+We need to put an upper bound on "user_len" so the memcpy() doesn't
+overflow.
+
+Cc: <stable at vger.kernel.org>
+Reported-by: Marco Grassi <marco.gra at gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Reviewed-by: Tomas Henzl <thenzl at redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
+[bwh: Backported to 3.2:
+ - Adjust context
+ - Use literal 1032 insetad of ARCMSR_API_DATA_BUFLEN]
+---
+--- a/drivers/scsi/arcmsr/arcmsr_hba.c
++++ b/drivers/scsi/arcmsr/arcmsr_hba.c
+@@ -1803,7 +1803,8 @@ static int arcmsr_iop_message_xfer(struc
+
+ case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
+ unsigned char *ver_addr;
+- int32_t my_empty_len, user_len, wqbuf_firstindex, wqbuf_lastindex;
++ uint32_t user_len;
++ int32_t my_empty_len, wqbuf_firstindex, wqbuf_lastindex;
+ uint8_t *pQbuffer, *ptmpuserbuffer;
+
+ ver_addr = kmalloc(1032, GFP_ATOMIC);
+@@ -1820,6 +1821,11 @@ static int arcmsr_iop_message_xfer(struc
+ }
+ ptmpuserbuffer = ver_addr;
+ user_len = pcmdmessagefld->cmdmessage.Length;
++ if (user_len > 1032) {
++ retvalue = ARCMSR_MESSAGE_FAIL;
++ kfree(ver_addr);
++ goto message_out;
++ }
+ memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len);
+ wqbuf_lastindex = acb->wqbuf_lastindex;
+ wqbuf_firstindex = acb->wqbuf_firstindex;
diff --git a/debian/patches/series b/debian/patches/series
index 19b38e5..f1b424f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1111,6 +1111,7 @@ bugfix/all/aacraid-check-size-values-after-double-fetch-from-us.patch
bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
bugfix/all/bluetooth-fix-potential-null-dereference-in-rfcomm-b.patch
bugfix/all/keys-fix-short-sprintf-buffer-in-proc-keys-show-func.patch
+bugfix/all/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xf.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list