summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-11-02 11:13:31 (GMT)
committerAdrian Dudau <adrian.dudau@enea.com>2016-11-03 13:11:09 (GMT)
commit5e6193026858039b0015b6adfd4fe37955b1d222 (patch)
treea203e9d396d39b8baa71b73ebbad6a6b46fdf420
parent9a717c218cd0e5b531c2c2d3e17ae4e9372326c0 (diff)
downloadmeta-enea-bsp-common-5e6193026858039b0015b6adfd4fe37955b1d222.tar.gz
kernel: scsi: aacraid: CVE-2016-6480
Fixes double fetch in ioctl_send_fib(). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480 Upstream bug: https://bugzilla.kernel.org/show_bug.cgi?id=116751 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=e4878ef66e5b8d01d6734b1952f9abb3eeea454c Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r--recipes-kernel/linux/files/CVE-2016-6480.patch71
-rw-r--r--recipes-kernel/linux/linux-yocto_4.%.bbappend1
2 files changed, 72 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/CVE-2016-6480.patch b/recipes-kernel/linux/files/CVE-2016-6480.patch
new file mode 100644
index 0000000..2cd521a
--- /dev/null
+++ b/recipes-kernel/linux/files/CVE-2016-6480.patch
@@ -0,0 +1,71 @@
1From e4878ef66e5b8d01d6734b1952f9abb3eeea454c Mon Sep 17 00:00:00 2001
2From: Dave Carroll <david.carroll@microsemi.com>
3Date: Fri, 5 Aug 2016 13:44:10 -0600
4Subject: aacraid: Check size values after double-fetch from user
5
6commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.
7
8In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
9get the fib header's size and one for the fib itself. Later we use the
10size field from the second fetch to further process the fib. If for some
11reason the size from the second fetch is different than from the first
12fix, we may encounter an out-of- bounds access in aac_fib_send(). We
13also check the sender size to insure it is not out of bounds. This was
14reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
15assigned CVE-2016-6480.
16
17CVE: CVE-2016-6480
18Upstream-Status: Backport
19
20Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
21Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
22Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
23Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
24Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
25Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
26Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27---
28 drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
29 1 file changed, 11 insertions(+), 2 deletions(-)
30
31diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
32index 54195a1..f78cc94 100644
33--- a/drivers/scsi/aacraid/commctrl.c
34+++ b/drivers/scsi/aacraid/commctrl.c
35@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
36 struct fib *fibptr;
37 struct hw_fib * hw_fib = (struct hw_fib *)0;
38 dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
39- unsigned size;
40+ unsigned int size, osize;
41 int retval;
42
43 if (dev->in_reset) {
44@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
45 * will not overrun the buffer when we copy the memory. Return
46 * an error if we would.
47 */
48- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
49+ osize = size = le16_to_cpu(kfib->header.Size) +
50+ sizeof(struct aac_fibhdr);
51 if (size < le16_to_cpu(kfib->header.SenderSize))
52 size = le16_to_cpu(kfib->header.SenderSize);
53 if (size > dev->max_fib_size) {
54@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
55 goto cleanup;
56 }
57
58+ /* Sanity check the second copy */
59+ if ((osize != le16_to_cpu(kfib->header.Size) +
60+ sizeof(struct aac_fibhdr))
61+ || (size < le16_to_cpu(kfib->header.SenderSize))) {
62+ retval = -EINVAL;
63+ goto cleanup;
64+ }
65+
66 if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
67 aac_adapter_interrupt(dev);
68 /*
69--
70cgit v0.12
71
diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend
index a81ff39..1a22b88 100644
--- a/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -8,6 +8,7 @@ SRC_URI += "file://hid-CVE-2016-5829.patch \
8 file://CVE-2016-4951.patch \ 8 file://CVE-2016-4951.patch \
9 file://CVE-2016-5195.patch \ 9 file://CVE-2016-5195.patch \
10 file://CVE-2016-5400.patch \ 10 file://CVE-2016-5400.patch \
11 file://CVE-2016-6480.patch \
11 " 12 "
12 13
13ENEA_KERNEL_FRAGMENTS += "\ 14ENEA_KERNEL_FRAGMENTS += "\