git.baikalelectronics.ru Git - kernel.git/commit

aacraid: Check size values after double-fetch from user

In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
get the fib header's size and one for the fib itself. Later we use the
size field from the second fetch to further process the fib. If for some
reason the size from the second fetch is different than from the first
fix, we may encounter an out-of- bounds access in aac_fib_send(). We
also check the sender size to insure it is not out of bounds. This was
reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
assigned CVE-2016-6480.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: c78bd61f2 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Cc: stable@vger.kernel.org
Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

author	Dave Carroll <david.carroll@microsemi.com>
	Fri, 5 Aug 2016 19:44:10 +0000 (13:44 -0600)
committer	Martin K. Petersen <martin.petersen@oracle.com>
	Tue, 9 Aug 2016 01:34:02 +0000 (21:34 -0400)
commit	c818f77e791c65a5ce12b3909c0c93d5bf4ef6d4
tree	911d3db2ec31ca2e6cb401cc68efaa42603b897e	tree \| snapshot
parent	5b3cba6f0f87c82388e6dc1077a9c97ad7e83e54	commit \| diff