[linux] 02/04: scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Sep 14 05:07:54 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit bcc9a01d8ea6142f796fb7faa058ebb13f0145d4
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Sep 14 06:36:24 2017 +0200

    scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051)
---
 debian/changelog                                   |  1 +
 ...xxx-Fix-an-integer-overflow-in-sysfs-code.patch | 64 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 66 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 23e9945..c65dce7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 linux (4.12.12-3) UNRELEASED; urgency=medium
 
   * sctp: Avoid out-of-bounds reads from address storage (CVE-2017-7558)
+  * scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Thu, 14 Sep 2017 06:25:04 +0200
 
diff --git a/debian/patches/bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch b/debian/patches/bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
new file mode 100644
index 0000000..7359fea
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
@@ -0,0 +1,64 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Wed, 30 Aug 2017 16:30:35 +0300
+Subject: scsi: qla2xxx: Fix an integer overflow in sysfs code
+Origin: https://git.kernel.org/linus/e6f77540c067b48dee10f1e33678415bfcc89017
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=194061
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14051
+
+The value of "size" comes from the user.  When we add "start + size" it
+could lead to an integer overflow bug.
+
+It means we vmalloc() a lot more memory than we had intended.  I believe
+that on 64 bit systems vmalloc() can succeed even if we ask it to
+allocate huge 4GB buffers.  So we would get memory corruption and likely
+a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().
+
+Only root can trigger this bug.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061
+
+Cc: <stable at vger.kernel.org>
+Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
+Reported-by: shqking <shqking at gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index 08a1feb3a195..8c6ff1682fb1 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -318,6 +318,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ 		return -EINVAL;
+ 	if (start > ha->optrom_size)
+ 		return -EINVAL;
++	if (size > ha->optrom_size - start)
++		size = ha->optrom_size - start;
+ 
+ 	mutex_lock(&ha->optrom_mutex);
+ 	switch (val) {
+@@ -343,8 +345,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ 		}
+ 
+ 		ha->optrom_region_start = start;
+-		ha->optrom_region_size = start + size > ha->optrom_size ?
+-		    ha->optrom_size - start : size;
++		ha->optrom_region_size = start + size;
+ 
+ 		ha->optrom_state = QLA_SREADING;
+ 		ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+@@ -417,8 +418,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ 		}
+ 
+ 		ha->optrom_region_start = start;
+-		ha->optrom_region_size = start + size > ha->optrom_size ?
+-		    ha->optrom_size - start : size;
++		ha->optrom_region_size = start + size;
+ 
+ 		ha->optrom_state = QLA_SWRITING;
+ 		ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 1034c89..957d7d9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -121,6 +121,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch
+bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
 
 # Fix exported symbol versions
 bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list