Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3
commitfa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3[log] [tgz]
authorDave Carroll <david.carroll@microsemi.com>Fri Aug 05 13:44:10 2016 -0600
committerMartin K. Petersen <martin.petersen@oracle.com>Mon Aug 08 21:34:02 2016 -0400
tree911d3db2ec31ca2e6cb401cc68efaa42603b897e
parentea0a95d7f162bfa1c9df74471f0064f71cdf80ea [diff]
aacraid: Check size values after double-fetch from user

In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
get the fib header's size and one for the fib itself. Later we use the
size field from the second fetch to further process the fib. If for some
reason the size from the second fetch is different than from the first
fix, we may encounter an out-of- bounds access in aac_fib_send(). We
also check the sender size to insure it is not out of bounds. This was
reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
assigned CVE-2016-6480.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Cc: stable@vger.kernel.org
Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
1 file changed
tree: 911d3db2ec31ca2e6cb401cc68efaa42603b897e
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .get_maintainer.ignore
  24. .gitignore
  25. .mailmap
  26. COPYING
  27. CREDITS
  28. Kbuild
  29. Kconfig
  30. MAINTAINERS
  31. Makefile
  32. README
  33. REPORTING-BUGS