kernel: scsi: aacraid: CVE-2016-6480

Fixes double fetch in ioctl_send_fib(). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480 Upstream bug: https://bugzilla.kernel.org/show_bug.cgi?id=116751 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=bcc85e09fc60d2e99053eae3fd0515c343189375 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-11-02 12:13:26 +0100
committer: Adrian Dudau <adrian.dudau@enea.com> 2016-11-03 14:10:34 +0100
commit: 4f88be3f5aca8b19343fe093ac2790890e0c36f0 (patch)
tree: 0f3c7995e9b072f54e26e6a144b51062c697a2c9
parent: 7f5d5e29d35616653a50ab44fd2dd330a44c1bcc (diff)
download: meta-enea-bsp-arm-4f88be3f5aca8b19343fe093ac2790890e0c36f0.tar.gz
2 files changed, 73 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ls1/CVE-2016-6480.patch b/recipes-kernel/linux/linux-ls1/CVE-2016-6480.patch
new file mode 100644
index 0000000..e78067e
--- /dev/null
+++ b/recipes-kernel/linux/linux-ls1/CVE-2016-6480.patch
@@ -0,0 +1,72 @@
+From bcc85e09fc60d2e99053eae3fd0515c343189375 Mon Sep 17 00:00:00 2001
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Fri, 5 Aug 2016 13:44:10 -0600
+Subject: aacraid: Check size values after double-fetch from user
+commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.
+In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
+get the fib header's size and one for the fib itself. Later we use the
+size field from the second fetch to further process the fib. If for some
+reason the size from the second fetch is different than from the first
+fix, we may encounter an out-of- bounds access in aac_fib_send(). We
+also check the sender size to insure it is not out of bounds. This was
+reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
+assigned CVE-2016-6480.
+CVE: CVE-2016-6480
+Upstream-Status: Backport
+Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
+Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
+index fbcd48d..16b2db3 100644
+--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
+@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
+        struct fib *fibptr;
+        struct hw_fib * hw_fib = (struct hw_fib *)0;
+        dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
+-       unsigned size;
+       unsigned int size, osize;
+        int retval;
+ 
+        if (dev->in_reset) {
+@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
+         *      will not overrun the buffer when we copy the memory. Return
+         *      an error if we would.
+         */
+-       size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
+       osize = size = le16_to_cpu(kfib->header.Size) +
+               sizeof(struct aac_fibhdr);
+        if (size < le16_to_cpu(kfib->header.SenderSize))
+                size = le16_to_cpu(kfib->header.SenderSize);
+        if (size > dev->max_fib_size) {
+@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
+                goto cleanup;
+        }
+ 
+       /* Sanity check the second copy */
+       if ((osize != le16_to_cpu(kfib->header.Size) +
+               sizeof(struct aac_fibhdr))
+               || (size < le16_to_cpu(kfib->header.SenderSize))) {
+               retval = -EINVAL;
+               goto cleanup;
+       }
+
+        if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
+                aac_adapter_interrupt(dev);
+                /*
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend
index dd43619..2bfa59c 100644
--- a/recipes-kernel/linux/linux-ls1_3.12.bbappend
+++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend
@@ -9,6 +9,7 @@ SRC_URI += "file://ls1021aiot.dts \
            file://net-CVE-2016-5696.patch \
            file://CVE-2016-3136.patch \
            file://CVE-2016-5195.patch \
+            file://CVE-2016-6480.patch \
           "
 # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-11-02 12:13:26 +0100
committer	Adrian Dudau <adrian.dudau@enea.com>	2016-11-03 14:10:34 +0100
commit	4f88be3f5aca8b19343fe093ac2790890e0c36f0 (patch)
tree	0f3c7995e9b072f54e26e6a144b51062c697a2c9
parent	7f5d5e29d35616653a50ab44fd2dd330a44c1bcc (diff)
download	meta-enea-bsp-arm-4f88be3f5aca8b19343fe093ac2790890e0c36f0.tar.gz

diff --git a/recipes-kernel/linux/linux-ls1/CVE-2016-6480.patch b/recipes-kernel/linux/linux-ls1/CVE-2016-6480.patch new file mode 100644 index 0000000..e78067e --- /dev/null +++ b/recipes-kernel/linux/linux-ls1/CVE-2016-6480.patch
@@ -0,0 +1,72 @@
		1	From bcc85e09fc60d2e99053eae3fd0515c343189375 Mon Sep 17 00:00:00 2001
		2	From: Dave Carroll <david.carroll@microsemi.com>
		3	Date: Fri, 5 Aug 2016 13:44:10 -0600
		4	Subject: aacraid: Check size values after double-fetch from user
		5
		6	commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.
		7
		8	In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
		9	get the fib header's size and one for the fib itself. Later we use the
		10	size field from the second fetch to further process the fib. If for some
		11	reason the size from the second fetch is different than from the first
		12	fix, we may encounter an out-of- bounds access in aac_fib_send(). We
		13	also check the sender size to insure it is not out of bounds. This was
		14	reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
		15	assigned CVE-2016-6480.
		16
		17
		18	CVE: CVE-2016-6480
		19	Upstream-Status: Backport
		20
		21	Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
		22	Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
		23	Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
		24	Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
		25	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
		26	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		27	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		28	---
		29	drivers/scsi/aacraid/commctrl.c \| 13 +++++++++++--
		30	1 file changed, 11 insertions(+), 2 deletions(-)
		31
		32	diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
		33	index fbcd48d..16b2db3 100644
		34	--- a/drivers/scsi/aacraid/commctrl.c
		35	+++ b/drivers/scsi/aacraid/commctrl.c
		36	@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
		37	struct fib *fibptr;
		38	struct hw_fib * hw_fib = (struct hw_fib *)0;
		39	dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
		40	- unsigned size;
		41	+ unsigned int size, osize;
		42	int retval;
		43
		44	if (dev->in_reset) {
		45	@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
		46	* will not overrun the buffer when we copy the memory. Return
		47	* an error if we would.
		48	*/
		49	- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
		50	+ osize = size = le16_to_cpu(kfib->header.Size) +
		51	+ sizeof(struct aac_fibhdr);
		52	if (size < le16_to_cpu(kfib->header.SenderSize))
		53	size = le16_to_cpu(kfib->header.SenderSize);
		54	if (size > dev->max_fib_size) {
		55	@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
		56	goto cleanup;
		57	}
		58
		59	+ /* Sanity check the second copy */
		60	+ if ((osize != le16_to_cpu(kfib->header.Size) +
		61	+ sizeof(struct aac_fibhdr))
		62	+ \|\| (size < le16_to_cpu(kfib->header.SenderSize))) {
		63	+ retval = -EINVAL;
		64	+ goto cleanup;
		65	+ }
		66	+
		67	if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
		68	aac_adapter_interrupt(dev);
		69	/*
		70	--
		71	cgit v0.12
		72


diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend index dd43619..2bfa59c 100644 --- a/recipes-kernel/linux/linux-ls1_3.12.bbappend +++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend
@@ -9,6 +9,7 @@ SRC_URI += "file://ls1021aiot.dts \
9	file://net-CVE-2016-5696.patch \	9	file://net-CVE-2016-5696.patch \
10	file://CVE-2016-3136.patch \	10	file://CVE-2016-3136.patch \
11	file://CVE-2016-5195.patch \	11	file://CVE-2016-5195.patch \
		12	file://CVE-2016-6480.patch \
12	"	13	"
13		14
14	# fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"	15	# fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"