linux/drivers/scsi/aacraid
Dave Carroll fa00c437ee aacraid: Check size values after double-fetch from user
In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
get the fib header's size and one for the fib itself. Later we use the
size field from the second fetch to further process the fib. If for some
reason the size from the second fetch is different than from the first
fix, we may encounter an out-of- bounds access in aac_fib_send(). We
also check the sender size to insure it is not out of bounds. This was
reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
assigned CVE-2016-6480.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Cc: stable@vger.kernel.org
Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2016-08-08 21:34:02 -04:00
..
Makefile [SCSI] aacraid: Add new code for PMC-Sierra's SRC based controller family 2011-03-23 11:36:58 -05:00
TODO
aachba.c aacraid: Removed unnecessary checks for NULL 2016-04-29 19:08:24 -04:00
aacraid.h aacraid: do not activate events on non-SRC adapters 2016-05-22 14:53:07 -04:00
commctrl.c aacraid: Check size values after double-fetch from user 2016-08-08 21:34:02 -04:00
comminit.c aacraid: Fix for KDUMP driver hang 2016-04-29 19:08:24 -04:00
commsup.c aacraid: Log firmware AIF messages 2016-04-29 19:08:24 -04:00
dpcsup.c aacraid: Remove code to needlessly complete fib 2016-04-29 19:08:24 -04:00
linit.c aacraid: do not activate events on non-SRC adapters 2016-05-22 14:53:07 -04:00
nark.c [SCSI] aacraid: Use resource_size_t for IO mem pointers and offsets 2012-07-20 08:58:43 +01:00
rkt.c [SCSI] aacraid: Use resource_size_t for IO mem pointers and offsets 2012-07-20 08:58:43 +01:00
rx.c aacraid: Add Power Management support 2015-11-09 15:59:18 -08:00
sa.c aacraid: Add Power Management support 2015-11-09 15:59:18 -08:00
src.c aacraid: Log firmware AIF messages 2016-04-29 19:08:24 -04:00