Re: [PATCH] aacraid: prevent out-of-bounds access due to changing fip header sizes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Aug 04, 2016 at 04:38:30PM +0000, David Carroll wrote:
> > -----Original Message-----
> > From: linux-scsi-owner@xxxxxxxxxxxxxxx [mailto:linux-scsi-
> > owner@xxxxxxxxxxxxxxx] On Behalf Of Johannes Thumshirn
> > Sent: Thursday, August 04, 2016 2:36 AM
> > To: Martin K . Petersen; James Bottomley
> > Cc: Linux SCSI Mailinglist; Pengfei Wang; Johannes Thumshirn;
> > stable@xxxxxxxxxxxxxxx
> > Subject: [PATCH] aacraid: prevent out-of-bounds access due to changing fip
> > header sizes
> > 
> > EXTERNAL EMAIL
> > 
> > 
> > In aacraid's ioctl_send_fib() we do two fetches from userspace, one the get the
> > fib header's size and one for the fib itself. Later we use the size field from the
> > second fetch to further process the fib. If for some reason the size from the
> > second fetch is different than from the first fix, we may encounter an out-of-
> > bounds access in aac_fib_send(). This was reported in
> > https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned CVE-
> > 2016-6480.
> > 
> > Reported-by: Pengfei Wang <wpengfeinudt@xxxxxxxxx>
> > Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Johannes Thumshirn <jthumshirn@xxxxxxx>
> > ---
> >  drivers/scsi/aacraid/commctrl.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
> > index 4b3bb52..2d4acd1 100644
> > --- a/drivers/scsi/aacraid/commctrl.c
> > +++ b/drivers/scsi/aacraid/commctrl.c
> > @@ -118,6 +118,12 @@ static int ioctl_send_fib(struct aac_dev * dev, void
> > __user *arg)
> >                 goto cleanup;
> >         }
> > 
> > +       if (size != le16_to_cpu(kfib->header.Size)
> > +                       + sizeof(struct aac_fibhdr)) {
> > +               retval = -EINVAL;
> > +               goto cleanup;
> > +       }
> > +
> >         if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
> >                 aac_adapter_interrupt(dev);
> >                 /*
> > --
> > 1.8.5.6
> > 
> 
> NAK, size is the MAX((header.size+hdr), sender_size). I will send a patch tomorrow which will insure that neither of those values is larger than size on the second fetch.
> 
> Thanks, -Dave


OK, not sure if I understood you correctly, did you mean something like that:

diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index b381b37..a671b54 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -118,6 +118,10 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
 		goto cleanup;
 	}
 
+	size = max((le16_to_cpu(kfib->header.Size)
+		       + sizeof(struct aac_fibhdr)),
+		      le16_to_cpu(kfib->header.SenderSize));
+
 	if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
 		aac_adapter_interrupt(dev);
 		/*
@@ -127,7 +131,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
 		kfib->header.XferState = 0;
 	} else {
 		retval = aac_fib_send(le16_to_cpu(kfib->header.Command), fibptr,
-				le16_to_cpu(kfib->header.Size) , FsaNormal,
+				size , FsaNormal,
 				1, 1, NULL, NULL);
 		if (retval) {
 			goto cleanup;

-- 
Johannes Thumshirn                                          Storage
jthumshirn@xxxxxxx                                +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]