On Wed, 2014-01-15 at 14:02 +0000, Luis Henriques wrote: > Hi, > > Please consider including the following commit in 2.6.32 and 3.8 stable > kernels (all the others already have it), as it fixes CVE-2013-6380: > > commit b4789b8e6be3151a955ade74872822f30e8cd914 Thanks Luis -- queuing it up for 3.8-stable. -Kamal > Author: Mahesh Rajashekhara <Mahesh.Rajashekhara@xxxxxxxx> > Date: Thu Oct 31 14:01:02 2013 +0530 > > aacraid: prevent invalid pointer dereference > > It appears that driver runs into a problem here if fibsize is too small > because we allocate user_srbcmd with fibsize size only but later we > access it until user_srbcmd->sg.count to copy it over to srbcmd. > > It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this > structure already includes one sg element and this is not needed for > commands without data. So, we would recommend to add the following > (instead of test for fibsize == 0). > > Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@xxxxxxxx> > Reported-by: Nico Golde <nico@xxxxxxxxx> > Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx> > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > > Cheers, > -- > Luis
Attachment:
signature.asc
Description: This is a digitally signed message part