[linux] 01/01: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Oct 18 05:27:19 UTC 2016
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit 404eee2e277b571348e55ab5350e0c5fe4e28ffa
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Tue Oct 18 07:19:53 2016 +0200
scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
---
debian/changelog | 1 +
...-Buffer-overflow-in-arcmsr_iop_message_xf.patch | 46 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 48 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d82924e..26455d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
linux (3.16.36-1+deb8u2) UNRELEASED; urgency=medium
* KEYS: Fix short sprintf buffer in /proc/keys show function (CVE-2016-7042)
+ * scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425)
-- Salvatore Bonaccorso <carnil at debian.org> Tue, 18 Oct 2016 06:39:49 +0200
diff --git a/debian/patches/bugfix/all/scsi-arcmsr-Buffer-overflow-in-arcmsr_iop_message_xf.patch b/debian/patches/bugfix/all/scsi-arcmsr-Buffer-overflow-in-arcmsr_iop_message_xf.patch
new file mode 100644
index 0000000..33fb567
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-arcmsr-Buffer-overflow-in-arcmsr_iop_message_xf.patch
@@ -0,0 +1,46 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Thu, 15 Sep 2016 16:44:56 +0300
+Subject: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
+Origin: https://git.kernel.org/linus/7bc2b55a5c030685b399bb65b6baa9ccc3d1f167
+
+We need to put an upper bound on "user_len" so the memcpy() doesn't
+overflow.
+
+Cc: <stable at vger.kernel.org>
+Reported-by: Marco Grassi <marco.gra at gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Reviewed-by: Tomas Henzl <thenzl at redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
+---
+ drivers/scsi/arcmsr/arcmsr_hba.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
+index 7640498..110eca9 100644
+--- a/drivers/scsi/arcmsr/arcmsr_hba.c
++++ b/drivers/scsi/arcmsr/arcmsr_hba.c
+@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+ }
+ case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
+ unsigned char *ver_addr;
+- int32_t user_len, cnt2end;
++ uint32_t user_len;
++ int32_t cnt2end;
+ uint8_t *pQbuffer, *ptmpuserbuffer;
+ ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
+ if (!ver_addr) {
+@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+ }
+ ptmpuserbuffer = ver_addr;
+ user_len = pcmdmessagefld->cmdmessage.Length;
++ if (user_len > ARCMSR_API_DATA_BUFLEN) {
++ retvalue = ARCMSR_MESSAGE_FAIL;
++ kfree(ver_addr);
++ goto message_out;
++ }
+ memcpy(ptmpuserbuffer,
+ pcmdmessagefld->messagedatabuffer, user_len);
+ spin_lock_irqsave(&acb->wqbuffer_lock, flags);
+--
+2.9.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 0686334..6c972f5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -678,6 +678,7 @@ bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
bugfix/all/aacraid-Check-size-values-after-double-fetch-from-us.patch
bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
+bugfix/all/scsi-arcmsr-Buffer-overflow-in-arcmsr_iop_message_xf.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list