On Thu, Aug 04, 2016 at 04:38:30PM +0000, David Carroll wrote: > > -----Original Message----- > > From: linux-scsi-owner@xxxxxxxxxxxxxxx [mailto:linux-scsi- > > owner@xxxxxxxxxxxxxxx] On Behalf Of Johannes Thumshirn > > Sent: Thursday, August 04, 2016 2:36 AM > > To: Martin K . Petersen; James Bottomley > > Cc: Linux SCSI Mailinglist; Pengfei Wang; Johannes Thumshirn; > > stable@xxxxxxxxxxxxxxx > > Subject: [PATCH] aacraid: prevent out-of-bounds access due to changing fip > > header sizes > > > > EXTERNAL EMAIL > > > > > > In aacraid's ioctl_send_fib() we do two fetches from userspace, one the get the > > fib header's size and one for the fib itself. Later we use the size field from the > > second fetch to further process the fib. If for some reason the size from the > > second fetch is different than from the first fix, we may encounter an out-of- > > bounds access in aac_fib_send(). This was reported in > > https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned CVE- > > 2016-6480. > > > > Reported-by: Pengfei Wang <wpengfeinudt@xxxxxxxxx> > > Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' > > Cc: stable@xxxxxxxxxxxxxxx > > Signed-off-by: Johannes Thumshirn <jthumshirn@xxxxxxx> > > --- > > drivers/scsi/aacraid/commctrl.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c > > index 4b3bb52..2d4acd1 100644 > > --- a/drivers/scsi/aacraid/commctrl.c > > +++ b/drivers/scsi/aacraid/commctrl.c > > @@ -118,6 +118,12 @@ static int ioctl_send_fib(struct aac_dev * dev, void > > __user *arg) > > goto cleanup; > > } > > > > + if (size != le16_to_cpu(kfib->header.Size) > > + + sizeof(struct aac_fibhdr)) { > > + retval = -EINVAL; > > + goto cleanup; > > + } > > + > > if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { > > aac_adapter_interrupt(dev); > > /* > > -- > > 1.8.5.6 > > > > NAK, size is the MAX((header.size+hdr), sender_size). I will send a patch tomorrow which will insure that neither of those values is larger than size on the second fetch. > > Thanks, -Dave OK, not sure if I understood you correctly, did you mean something like that: diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c index b381b37..a671b54 100644 --- a/drivers/scsi/aacraid/commctrl.c +++ b/drivers/scsi/aacraid/commctrl.c @@ -118,6 +118,10 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) goto cleanup; } + size = max((le16_to_cpu(kfib->header.Size) + + sizeof(struct aac_fibhdr)), + le16_to_cpu(kfib->header.SenderSize)); + if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { aac_adapter_interrupt(dev); /* @@ -127,7 +131,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) kfib->header.XferState = 0; } else { retval = aac_fib_send(le16_to_cpu(kfib->header.Command), fibptr, - le16_to_cpu(kfib->header.Size) , FsaNormal, + size , FsaNormal, 1, 1, NULL, NULL); if (retval) { goto cleanup; -- Johannes Thumshirn Storage jthumshirn@xxxxxxx +49 911 74053 689 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html