> -----Original Message----- > From: linux-scsi-owner@xxxxxxxxxxxxxxx [mailto:linux-scsi- > owner@xxxxxxxxxxxxxxx] On Behalf Of Johannes Thumshirn > Sent: Thursday, August 04, 2016 2:36 AM > To: Martin K . Petersen; James Bottomley > Cc: Linux SCSI Mailinglist; Pengfei Wang; Johannes Thumshirn; > stable@xxxxxxxxxxxxxxx > Subject: [PATCH] aacraid: prevent out-of-bounds access due to changing fip > header sizes > > EXTERNAL EMAIL > > > In aacraid's ioctl_send_fib() we do two fetches from userspace, one the get the > fib header's size and one for the fib itself. Later we use the size field from the > second fetch to further process the fib. If for some reason the size from the > second fetch is different than from the first fix, we may encounter an out-of- > bounds access in aac_fib_send(). This was reported in > https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned CVE- > 2016-6480. > > Reported-by: Pengfei Wang <wpengfeinudt@xxxxxxxxx> > Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Johannes Thumshirn <jthumshirn@xxxxxxx> > --- > drivers/scsi/aacraid/commctrl.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c > index 4b3bb52..2d4acd1 100644 > --- a/drivers/scsi/aacraid/commctrl.c > +++ b/drivers/scsi/aacraid/commctrl.c > @@ -118,6 +118,12 @@ static int ioctl_send_fib(struct aac_dev * dev, void > __user *arg) > goto cleanup; > } > > + if (size != le16_to_cpu(kfib->header.Size) > + + sizeof(struct aac_fibhdr)) { > + retval = -EINVAL; > + goto cleanup; > + } > + > if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { > aac_adapter_interrupt(dev); > /* > -- > 1.8.5.6 > NAK, size is the MAX((header.size+hdr), sender_size). I will send a patch tomorrow which will insure that neither of those values is larger than size on the second fetch. Thanks, -Dave -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html